Jump to content

Recommended Posts

I reported a security vulnerability to WHMCS a week ago,Ā  the logged a ticket which has now been closed.

The vulnerability relates to a hardcoded password in WHMCS installations - can someone please give me the contact details of whoever is responsible for security

Share this post


Link to post
Share on other sites

There's no need to spam opening 6 threads. Submit another ticket or reply to the existing one and wait.

There are hundreds of bugs and vulnerabilities in this software so don't panic šŸ¤­ It's part of the game.

Edited by Kian

Share this post


Link to post
Share on other sites

I'm using this software since 2007 and I've seen plenty of disasters. Some of them still exist.

That said, there's no "special" way to contact WHMCS. Even if you think your issue is special. Submit a new ticket or reply to the existing one.

Edited by Kian

Share this post


Link to post
Share on other sites

As I'm sure you know logging tickets with the support team is a fairly pointless task - they even tried to defend that this wasnt that big a deal.

This isnt "my" issue - this is a risk to all customers, having identified it I am protected as I have been able to mitigate/neutralise the problemĀ 

I need to bypass the hell desk and reach someoneĀ competent, I was rather surprised to discover that they don't have a published security contact.

Share this post


Link to post
Share on other sites

There's no way to bypass help desk especially because it's the weekend. If the problem is so serious you could set WHMCS in maintenance mode. You could also try describe the problem here.

Share this post


Link to post
Share on other sites

Hi there,

Whilst a support ticket may be close indicating the end of the particular interaction with the support team on a matter. The case opened with the development team remains open independently and will be addressed according to the severity determined by our team.

In this particular case, a default FTP backup password value has been assessed as not representing a security vulnerability without an accompanying hostname or password. However we're certainly appreciative of the report and will address it in a future update. Thanks for your bug report.

We encourage and reward responsible disclosure of genuine security concerns via our bounty program:https://www.whmcs.com/security-bounty-program/

For information on how we handle bug reports, please refer to: https://docs.whmcs.com/How_we_handle_Bug_Reports

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated