Jump to content

Potential Security Issues


Recommended Posts

Hello All,

Hoping someone can shed some light on this matter.

OK maybe not a massive security issue but neverthless something that has been pointed out to us after a so called 'expert' tried hacking our install and wanted bounty money. God loves a tryer eh...

So lets take an example.

Say someone fills out one of the forms on the site, they submit fine. All well and good. They get there email notifcation saying ticket submitted. great. BUT...

IF you look at the email headers what you can find is:

Quote

X-PHP-Script: yourdomain.com/custm_admin_directory/supporttickets.php

tucked away in the message headers 😲

Maybe not a big deal BUT we have also found that the htaccess restriction for the admin directory in latest version doesnt even work properly (yup opened a ticket for it).

However, why is that line even presented in the headers? OK if it needs to be WHY include the admin/custom admin directory?

Seems like any and all emails being sent out have this line included in message headers which fogive me if i get this bit wrong BUT I find it ttally daft. Makes security of the admin/custom directory (even if its security through obsecurity) pointless.

Can anyone else confirm that they can see the same thing? turned off all hooks (only using a few as it is) and its the same result.

Curious if anyone else has spotted this...

Link to comment
Share on other sites

@bear thanks. That was an eaily explained post. Now the hard part. How to potentially implemnt that in whmcs. Without even looking I am guessing its going to be near impossible to find let alone implemnt due to all the files encoded? You would have though they would think of this considering they have a section on protecting admin: https://docs.whmcs.com/Further_Security_Steps

OR am i thinking wrong and I can potentially do this server side without even touching whmcs? but then it would apply to any and all sites 🤔

Link to comment
Share on other sites

If you have WHMCS on a server that you have WHM access to, it's in tweak settings. Look under mail for "Track email origin via X-Source email headers" and shut it off. That should resolve it. 

Of course, it sounds like you have your billing system on a server where you have clients, which is typically a lot less secure...

Edited by bear
Link to comment
Share on other sites

1 minute ago, bear said:

If you have WHMCS on a server that you have WHM access to, it's in tweak settings. Look under mail for "Track email origin via X-Source email headers" and shut it off. That should resolve it. 

@bear you are the MAN I can look into that. Any potential issues you can think of that may be of an impact? ofcourse doing a quick search on that setting in interweb too but thought may as well ask...

3 minutes ago, bear said:

Of course, it sounds like you have your billing system on a server where you have clients, which is typically a lot less secure...

Nope, not the case 😉

Link to comment
Share on other sites

2 minutes ago, steven99 said:

What version of WHMCS are you using?

Latest v8 But have v7 running too and its the same case for both.

3 minutes ago, steven99 said:

mail sending are you using

The builtin php mailer. for one reason or another smtp has never worked the way we wanted AND currently not took the plunge of using an external one.. yet!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated