Potential Security Issues

[Manchester Web Hosting]

Hello All,

Hoping someone can shed some light on this matter.

OK maybe not a massive security issue but neverthless something that has been pointed out to us after a so called 'expert' tried hacking our install and wanted bounty money. God loves a tryer eh...

So lets take an example.

Say someone fills out one of the forms on the site, they submit fine. All well and good. They get there email notifcation saying ticket submitted. great. BUT...

IF you look at the email headers what you can find is:

Quote

X-PHP-Script: yourdomain.com/custm_admin_directory/supporttickets.php

tucked away in the message headers 😲

Maybe not a big deal BUT we have also found that the htaccess restriction for the admin directory in latest version doesnt even work properly (yup opened a ticket for it).

However, why is that line even presented in the headers? OK if it needs to be WHY include the admin/custom admin directory?

Seems like any and all emails being sent out have this line included in message headers which fogive me if i get this bit wrong BUT I find it ttally daft. Makes security of the admin/custom directory (even if its security through obsecurity) pointless.

Can anyone else confirm that they can see the same thing? turned off all hooks (only using a few as it is) and its the same result.

Curious if anyone else has spotted this...

[bear]

This explains it pretty well. It's not WHMCS, but php.
https://www.the-art-of-web.com/php/x-php-script/

[Manchester Web Hosting]

@bear thanks. That was an eaily explained post. Now the hard part. How to potentially implemnt that in whmcs. Without even looking I am guessing its going to be near impossible to find let alone implemnt due to all the files encoded? You would have though they would think of this considering they have a section on protecting admin: https://docs.whmcs.com/Further_Security_Steps

OR am i thinking wrong and I can potentially do this server side without even touching whmcs? but then it would apply to any and all sites 🤔

[bear]

If you have WHMCS on a server that you have WHM access to, it's in tweak settings. Look under mail for "Track email origin via X-Source email headers" and shut it off. That should resolve it. 

Of course, it sounds like you have your billing system on a server where you have clients, which is typically a lot less secure...

Edited November 18, 2020 by bear

[Manchester Web Hosting]

1 minute ago, bear said:

If you have WHMCS on a server that you have WHM access to, it's in tweak settings. Look under mail for "Track email origin via X-Source email headers" and shut it off. That should resolve it. 

@bear you are the MAN I can look into that. Any potential issues you can think of that may be of an impact? ofcourse doing a quick search on that setting in interweb too but thought may as well ask...

3 minutes ago, bear said:

Of course, it sounds like you have your billing system on a server where you have clients, which is typically a lot less secure...

Nope, not the case 😉

[bear]

Downside? If you have a script/form being abused that will make tracing it a bit more difficult, but not impossible. Terrific convenience on servers where you have clients hosted, though.

[Manchester Web Hosting]

cool. dont think thats going to be an issue.... unless I start abusing it myself!

Thanks @bear for the input much appreaciated 😊

[steven99]

What version of WHMCS are you using?  Also, what type of mail sending are you using?  That is under General settings -> Mail tab -> mail type.  I can see it being an issue on PHP mail but not on SMTP.  

[Manchester Web Hosting]

2 minutes ago, steven99 said:

What version of WHMCS are you using?

Latest v8 But have v7 running too and its the same case for both.

3 minutes ago, steven99 said:

mail sending are you using

The builtin php mailer. for one reason or another smtp has never worked the way we wanted AND currently not took the plunge of using an external one.. yet!

[steven99]

Best to use SMTP as some spam filters will rank php mail higher and thus potentially send to spam.   Using an external service like mailgun's SMTP service may work if your SMTP service wont work.