MrGettingRatherFrustrated Posted February 13, 2021 Share Posted February 13, 2021 I reported a security vulnerability to WHMCS a week ago,Ā the logged a ticket which has now been closed. The vulnerability relates to a hardcoded password in WHMCS installations - can someone please give me the contact details of whoever is responsible for security Link to comment Share on other sites More sharing options...
Kian Posted February 13, 2021 Share Posted February 13, 2021 (edited) There's no need to spam opening 6 threads. Submit another ticket or reply to the existing one and wait. There are hundreds of bugs and vulnerabilities in this software so don't panic š¤ It's part of the game. Edited February 13, 2021 by Kian Link to comment Share on other sites More sharing options...
MrGettingRatherFrustrated Posted February 13, 2021 Author Share Posted February 13, 2021 Sorry I disagree - the same password hardcoded in every WHMCS installation and obfuscated php so you have no idea what is actually going on? It should scare the crap out of you and everyone else using it 1 Link to comment Share on other sites More sharing options...
Kian Posted February 13, 2021 Share Posted February 13, 2021 (edited) I'm using this software since 2007 and I've seen plenty of disasters. Some of them still exist. That said, there's no "special" way to contact WHMCS. Even if you think your issue is special. Submit a new ticket or reply to the existing one. Edited February 13, 2021 by Kian Link to comment Share on other sites More sharing options...
MrGettingRatherFrustrated Posted February 13, 2021 Author Share Posted February 13, 2021 As I'm sure you know logging tickets with the support team is a fairly pointless task - they even tried to defend that this wasnt that big a deal. This isnt "my" issue - this is a risk to all customers, having identified it I am protected as I have been able to mitigate/neutralise the problemĀ I need to bypass the hell desk and reach someoneĀ competent, I was rather surprised to discover that they don't have a published security contact. -1 Link to comment Share on other sites More sharing options...
Kian Posted February 13, 2021 Share Posted February 13, 2021 There's no way to bypass help desk especially because it's the weekend. If the problem is so serious you could set WHMCS in maintenance mode. You could also try describe the problem here. Link to comment Share on other sites More sharing options...
WHMCS Support Manager WHMCS John Posted February 13, 2021 WHMCS Support Manager Share Posted February 13, 2021 Hi there, Whilst a support ticket may be close indicating the end of the particular interaction with the support team on a matter. The case opened with the development team remains open independently and will be addressed according to the severity determined by our team. In this particular case, a default FTP backup password value has been assessed as not representing a security vulnerability without an accompanying hostname or password. However we're certainly appreciative of the report and will address it in a future update. Thanks for your bug report. We encourage and reward responsible disclosure of genuine security concerns via our bounty program:https://www.whmcs.com/security-bounty-program/ For information on how we handle bug reports, please refer to: https://docs.whmcs.com/How_we_handle_Bug_Reports Link to comment Share on other sites More sharing options...
Recommended Posts