Security update just announced

[bear]

So, a new security issue affecting all versions is only available for 7.7 and up. Anyone using 7.6.1 (as we are) are being forced to pay to upgrade to the very next version or greater in order to be able to be safe from a bug/flaw that  also existed in the 7.6.1 version? For us, that's 2x $59, *just* to secure our two installs.

No chance of rolling patches out for this also?

[jacksony]

Hi,

This is bad, I have thought that security update should be provided free for supported non EOL version. 

But even for 7.10 after applying the patch, it complained active support need to be there?

Isn't security updates should be allowed since there is no new features etc?

[jacksony]

What should we do now? We are so screwed by this, they didn't say upgrade is required for security patch.. now there is no way back if you have updated?

Is it only backend blocked out for now?

[ServWise.com]

Same here, no warning in the email, no restriction for downloading the patch, first time I knew about it was when I was locked out of my admin after performing the security update. 😞

Edited February 26, 2021 by ServWise.com

[Evolve Web Hosting]

None of you are on the monthly renewal / subscription license? Upgrade went fine here from 7.10.2 to 7.10.3 using the incremental patch.

If you can't roll back, why didn't you make a full backup before upgrading? That should be standard procedure.

[roger55]

What do you expect? WHMCS 7.6 has been EOL for over 1 1/2 years, which means there are neither bug fixes nor security updates. A company like WHMCS cannot maintain updates for every WHMCS version just because users don't want to keep their system up-to-date.

WHMCS clearly shows which version will be when EOL and will no longer receive support and updates. Users who do not update their system run the risk of security problems at their own risk. And if you don't pay for update access, you won't get any updates, which is quite logical and easy to understand. We don't work for free.

[WHMCS John]

Hi all,

Today we have published new releases for all actively supported versions of WHMCS as well as a patch which can be applied to EOL versions 7.7, 7.8 and 7.9. Patches will not be released for any earlier versions of WHMCS.

For information please refer to https://blog.whmcs.com/133679/security-update-2021-02-26

We always recommend running a Current or Long Term Support version of WHMCS to benefit from the latest features, usability improvements, maintenance and security updates. To learn more about our Long Terms Support policy, please refer to: https://docs.whmcs.com/Long_Term_Support

 

Security updates are released outside the usual Support & Updates eligibility criteria, so provided you are eligible to access a particular major version, you'll be able to use the corresponding security update for free.

For example; if you were eligible to access any v7.10 version, then you will be able to apply the 7.10.3 update without needing to renew.

You would not be able to apply the 8.0.5 or 8.1.3 updates, because your subscription does not cover access to those major versions.

 

If you do see a message after applied the correct maintenance update for your subscirption, please force a remote license check and access should be restored immediately.

[bear]

18 minutes ago, WHMCS John said:

Security updates are released outside the usual Support & Updates eligibility criteria, so do not require an Active Support & Updates subscription for legacy owned licenses.

But with mine being just outside of that window, I'm stuffed. I haven't needed or wanted any of the new features of WHMCS, but do expect a serious bug affecting all versions (which was present while I was still on active support) to allow for the fix to be ported to all versions. I'm not asking for features, I'm asking not to have to pay $120 to obtain just a security fix. I can understand not wanting to support a lot of versions, but this is not a feature or something that need changing because of some third party...this is a security issue, present (presumably) in all versions. 
Not everyone wants the new versions.

Edited February 26, 2021 by bear

[ServWise.com]

27 minutes ago, WHMCS John said:

Hi all,

Today we have published new releases for all actively supported versions of WHMCS as well as a patch which can be applied to EOL versions 7.7, 7.8 and 7.9. Patches will not be released for any earlier versions of WHMCS.

For information please refer to https://blog.whmcs.com/133679/security-update-2021-02-26

We always recommend running a Current or Long Term Support version of WHMCS to benefit from the latest features, usability improvements, maintenance and security updates. To learn more about our Long Terms Support policy, please refer to: https://docs.whmcs.com/Long_Term_Support

 

Security updates are released outside the usual Support & Updates eligibility criteria, so provided you are eligible to access a particular major version, you'll be able to use the corresponding security update for free.

For example; if you were eligible to access any v7.10 version, then you will be able to apply the 7.10.3 update without needing to renew.

You would not be able to apply the 8.0.5 or 8.1.3 updates, because your subscription does not cover access to those major versions.

 

If you do see a message after applied the correct maintenance update for your subscirption, please force a remote license check and access should be restored immediately.

I attempted to perform the update, it forced me to purchase a support subscription, even your support staff said I had to, I assume I can get a refund on that then?

[DennisHermannsen]

4 hours ago, bear said:

But with mine being just outside of that window, I'm stuffed. I haven't needed or wanted any of the new features of WHMCS, but do expect a serious bug affecting all versions (which was present while I was still on active support) to allow for the fix to be ported to all versions. I'm not asking for features, I'm asking not to have to pay $120 to obtain just a security fix. I can understand not wanting to support a lot of versions, but this is not a feature or something that need changing because of some third party...this is a security issue, present (presumably) in all versions. 
Not everyone wants the new versions.

I think you're asking a bit too much. WHMCS v7.6 was EOL'ed almost two years ago. How can you expect them to provide security updates for that version? It's a miracle that they even provide one for v7.7-v7.9.
If I was still on v5.3, I couldn't complain that there's no security fixes. It's just how it works.

[jacksony]

The issue is fixed already.

[bear]

48 minutes ago, DennisHermannsen said:

I think you're asking a bit too much.

I'd be far less upset if versions beyond the one I'm on were worth the cost of upgrading for us.
Nothing I'd find useful has been added, and many, many things have been broken in them over time. Now I'll be forced to pay this and at the same time upgrade to an unwanted version, with all it's issues that will need fixing with hooks and tricks, menus that need PHP coding to change and SSL checks no one asked for and so on and so forth. 
Kind of like having to get a stick, and finding it has two short ends, neither terribly clean. 

[DennisHermannsen]

8 hours ago, bear said:

Nothing I'd find useful has been added, and many, many things have been broken in them over time

Well, if you don't find the security updates or bug fixes useful, you don't have a reason to upgrade then. There has been a lot of bug fixes for WHMCS since 7.6.
My argument is still valid - if I was on v5.3 (or even 1.3), I could say the same thing as you. That I don't want to be forced to upgrade because v5.3 has everything I need. You can't expect WHMCS to support versions that have been EOL'ed a long time ago. You don't see Microsoft patching security holes in Windows XP, even though that version is the golden version af Windows to a lot of users.

8 hours ago, bear said:

menus that need PHP coding to change and SSL checks no one asked for and so on and so forth. 

You don't need to use hooks to change the menu. You can change it as HTML if you want to. SSL checks can be disabled.

 

If you were a software developer, would you really want to support every version of the software that you developed? Your code base will most likely have changed between major versions, which means fixing security issues is not the same for each version.

[bear]

2 hours ago, DennisHermannsen said:

You don't need to use hooks to change the menu. You can change it as HTML if you want to. SSL checks can be disabled.

You seem determined to downplay my concerns and make it look like I don't care about security, but that's not my problem.
What is my concern is that hooks statement. "Change it as HTML"? Have a read: https://docs.whmcs.com/Editing_Client_Area_Menus
If you're using a predefined hook made by WHMCS, you can edit it and *include* HTML in the hook file. If not theirs, you need to make one. 
As for the SSL checks? That should have been optionally enabled, not automatically, then needing to edit all traces from the interface. 

Quote

There has been a lot of bug fixes for WHMCS since 7.6

I think you'll see most of those are bugs introduced by the newer release versions which were then fixed. The pattern is: fast dev (every few months), short beta, short candidacy, fast release, then wait for the bugs that need fixing. The latest version has had tons of complaints, things we need as providers removed and so on. Is it any wonder I don't want to move to that version?

As for your WindowsXP example? They supported it for 5 years after EOL. The current death of WHMCS versions is roughly one year.

[DennisHermannsen]

24 minutes ago, bear said:

What is my concern is that hooks statement. "Change it as HTML"? Have a read: https://docs.whmcs.com/Editing_Client_Area_Menus

You can still just edit it as HTML... In your header.tpl, you have this:

<section id="main-menu">

    <nav id="nav" class="navbar navbar-default navbar-main" role="navigation">
        <div class="container">
            <!-- Brand and toggle get grouped for better mobile display -->
            <div class="navbar-header">
                <button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#primary-nav">
                    <span class="sr-only">Toggle navigation</span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                    <span class="icon-bar"></span>
                </button>
            </div>

            <!-- Collect the nav links, forms, and other content for toggling -->
            <div class="collapse navbar-collapse" id="primary-nav">

                <ul class="nav navbar-nav">

                    {include file="$template/includes/navbar.tpl" navbar=$primaryNavbar}

                </ul>

                <ul class="nav navbar-nav navbar-right">

                    {include file="$template/includes/navbar.tpl" navbar=$secondaryNavbar}

                </ul>

            </div><!-- /.navbar-collapse -->
        </div>
    </nav>

</section>

Remove the includes - you'll have no menu and can insert whatever you'd like. It has been possible to do it like that since they introduced editing the menu using hooks.

24 minutes ago, bear said:

As for the SSL checks? That should have been optionally enabled, not automatically, then needing to edit all traces from the interface. 

Ok, so every feature you don't need should be disabled by default? Why complain about it when there's literally a setting that disables the functionality that you don't want? If you want a software that's tailored to your needs, you should have one developed.

 

24 minutes ago, bear said:

I think you'll see most of those are bugs introduced by the newer release versions which were then fixed

Yes, it's difficult fixing bugs for a feature that isn't implemented yet. It's very rare that a feature that has been in WHMCS forever suddenly stops working.

 

24 minutes ago, bear said:

Is it any wonder I don't want to move to that version?

No one is telling you to update to WHMCS 8. You could easily do with an update to 7.7. When that's said, version 8 is stable. We're using it on 3 seperate installations with no issues. The only issues we've had was with the new user implementation, but they have been fixed. You can disable that feature, by the way - like most other features they introduce.

 

24 minutes ago, bear said:

As for your WindowsXP example? They supported it for 5 years after EOL. The current death of WHMCS versions is roughly one year.

My point was not that they supported it after EOL. My point was that you can't get mad at a company for not supporting something they clearly stated they won't be supporting.

Edited February 27, 2021 by DennisHermannsen

[bear]

13 minutes ago, DennisHermannsen said:

Ok, so every feature you don't need should be disabled by default? Why complain about it when there's literally a setting that disables the functionality that you don't want?

A setting? Last I read the SSL check needed a flag on the cron to prevent it running, then edits all over to remove the flags and refences. It's just a click and it's all gone now? Please point me to that documentation. 

The point of having it disabled by default was that it was badly implemented and cause havoc. It was checking (and may still do) every domain in the system for an SSL certificate on the hosting account, even if there was no hosting account. With many hundreds (or more) domains in the system, it was literally DOSing yourself each time it ran. So yes, major features and changes should be optional to ENABLE, not on and a surprise when things go pear shaped.

Quote

 it's difficult fixing bugs for a feature that isn't implemented yet

You stated this: " if you don't find the security updates or bug fixes useful, you don't have a reason to upgrade then. There has been a lot of bug fixes for WHMCS since 7.6". That was clearly intended to make it appear I don't care about it, when in fact there were none for my version that weren't implemented. 
The point you appear to be missing is that I've just been told there's a very serious security issue that I need to pay $60 for more than one installation to fix, and it also include me having to upgrade, fix all the things it's broken, apply patches where needed and hope for the best. Basically, devote a large chunk of time to resolving this, move to a version that's even more bloated, and pay for the privilege. Cool. 

Quote

Remove the includes - you'll have no menu and can insert whatever you'd like. It has been possible to do it like that since they introduced editing the menu using hooks.

Please link to the docs where it explains that bit about removing the includes to do whatever you want. 

[DennisHermannsen]

20 minutes ago, bear said:

A setting? Last I read the SSL check needed a flag on the cron to prevent it running, then edits all over to remove the flags and refences. It's just a click and it's all gone now? Please point me to that documentation. 

A flag, setting, parameter. Call it what you want. You're able to disable it. Removing it from templates doesn't require edits "all over". It's two files. In case you're not using a default WHMCS template, this change would have to be made once.

20 minutes ago, bear said:

The point of having it disabled by default was that it was badly implemented and cause havoc. It was checking (and may still do) every domain in the system for an SSL certificate on the hosting account, even if there was no hosting account. With many hundreds (or more) domains in the system, it was literally DOSing yourself each time it ran. So yes, major features and changes should be optional to ENABLE, not on and a surprise when things go pear shaped.

That's weird. On our 3 installations, it's only checking active services, as it should. It wouldn't make any sense checking inactive/cancelled services.

20 minutes ago, bear said:

That was clearly intended to make it appear I don't care about it, when in fact there were none for my version that weren't implemented. 

No, it wasn't. You said nothing useful was added in any of the updates. Security updates are included with the latest versions of WHMCS. You can't expect WHMCS to solve issues for the few percentage of users of EOL'ed versions that don't want to upgrade to later versions.
Wouldn't you think that I was out of my mind if I was still on version 1.3 and expected them to release security fixes for that version, just because I didn't want to upgrade (whatever the reason was)?

 

20 minutes ago, bear said:

Please link to the docs where it explains that bit about removing the includes to do whatever you want. 

It's not described in the documenation. WHMCS advises you to make customization to the menu by hooks - and it's great for modules. If a module needs to add a menu item, the module can do so by hooks.
Everything is basically HTML and can be changed. See this:

 

There's plenty of alternatives to WHMCS, and you're free to use whatever you like. I get why you're frustrated, but I don't get why you're blaming WHMCS.

[bear]

1 hour ago, DennisHermannsen said:

It's not described in the documenation.

Exactly. The point to the use of hooks is that disabling the prebuilt menu items removes the usefulness of that menu system. I can kludge WHMCS all day long, but that's what it is, a kludge.

Quote

I don't get why you're blaming WHMCS

Blaming? No blame here.
I'm frustrated that a security issue that was present in the version I run will not be addressed though it was present when it was released and I still had active support. I'm also frustrated that I'm being forced to upgrade to a new version (along with all the additional work that generates) in order to get something serious fixed. 

Quote

There's plenty of alternatives to WHMCS

None that are very good, but I've been using it for a lot of years (since long before Cpanel was ever involved; ask Matt). The whole "you could move to something else" is an argument I've heard countless times to defend something like this. It's as pointless as ever, I'm afraid. Feel free not to respond and prolong your participation, as it's just dragging the conversation to the point the mods will simply close it. 

[brian!]

3 hours ago, DennisHermannsen said:

There has been a lot of bug fixes for WHMCS since 7.6.

of course, the corollary of that is that those versions must have been released containing a lot of bugs in t he first place for that to be true. 😎

13 minutes ago, DennisHermannsen said:

You can disable that feature, by the way - like most other features they introduce.

oh wow - there are none so blind...

15 minutes ago, DennisHermannsen said:

My point was that you can't get mad at a company for not supporting something they clearly stated they won't be supporting.

he can if he wants to. 🙂

6 minutes ago, DennisHermannsen said:

You said nothing useful was added in any of the updates.

actually, he said nothing that *he* would find useful... there's a difference.

6 minutes ago, DennisHermannsen said:

You can't expect WHMCS to solve issues for the few percentage of users of EOL'ed versions that don't want to upgrade to later versions.

you can question that drawing the line at v7.7 (which is also EOL) is arbitrary (even the docs effectively state they can pick & choose which versions they apply security updates to that have gone EOL)....

interestingly, the v7.7 - v7.9 security patch only contains one file,  and that original file doesn't exist in v7.6 and earlier versions, so perhaps solutions for pre-v7.7 releases would take more testing.... or there might be another conclusion that I couldn't possibly suggest, nor would I expect WHMCS to publicly comment on. 😉

39 minutes ago, bear said:

Please link to the docs where it explains that bit about removing the includes to do whatever you want. 

as Dennis says, there won't be a how-to mentioned in the docs... but if you really wanted to replace the navbar with a HTML menu...

the above sample code is from https://codepen.io/arjunamgain/pen/YXBeLJ and is shown in a v8.1.1 install (haven't bothered updating any installs yet).... if you had to make it multilingual, then there would need to be Smarty languages strings used throughout over the code... though personally, I wouldn't bother going down that road.

11 minutes ago, bear said:

dragging the conversation to the point the mods will simply close it. 

yep - this is a thread destined for closure or deletion. ⚠️

[ServWise.com]

Just to add one thing to this as I have been running WHMCS  for at least 15 years. Yes new features are nice but when your developers are spending time making the "Admin" SEO friendly, yes that's right,  a place which search engine spiders can't even access has been given SEO friendly URLs and yet the front end isn't even properly SEO friendly without a huge amount of custom hackery (try getting google to properly index anything other than your default language in a vanilla WHMCS) and it has actually gotten worse, not better with newer versions. That says it all in my book.

[yggdrasil]

On 2/26/2021 at 4:16 PM, roger55 said:

What do you expect? WHMCS 7.6 has been EOL for over 1 1/2 years, which means there are neither bug fixes nor security updates. A company like WHMCS cannot maintain updates for every WHMCS version just because users don't want to keep their system up-to-date.

WHMCS clearly shows which version will be when EOL and will no longer receive support and updates. Users who do not update their system run the risk of security problems at their own risk. And if you don't pay for update access, you won't get any updates, which is quite logical and easy to understand. We don't work for free.

You do realize, Microsoft or Red Hat or even SUSE patch their software for 10+ years right?

It's not uncommon in the B2B market to have very long supported versions and pieces of software because your target is not a regular consumer. It's a business. As such they have other things to do than upgrading critical platforms every year. 2 years for long term support on a software such a WHMCS is short, way too short to even call it Long Term. This is more true because every new release they take 5 years to fix bugs and 10 years to add features. No, I'm not joking. WHMCS does take 5 years to fix some bugs, and you can check their feature request page, years is an understatement. So they expect their customers to keep 2 years upgraded to date, but they make zero commitment to add or fix things in the same period. If you add to this third party softwares and customizations, 2 years is not that much to test everything. I'm running always the latest supported version for a reason.

On 2/26/2021 at 4:43 PM, bear said:

But with mine being just outside of that window, I'm stuffed. I haven't needed or wanted any of the new features of WHMCS, but do expect a serious bug affecting all versions (which was present while I was still on active support) to allow for the fix to be ported to all versions. I'm not asking for features, I'm asking not to have to pay $120 to obtain just a security fix. I can understand not wanting to support a lot of versions, but this is not a feature or something that need changing because of some third party...this is a security issue, present (presumably) in all versions. 
Not everyone wants the new versions.

The patch is 1 file and a few lines of code. It takes an hour to apply this to other versions. If they cannot do that, then I would seriously reconsider my programming skill. Most security patches in a software like WHMCS work the same for all versions because its usually just fixing some syntax or adding a new check on PHP which will work on all versions. The rest of the files in the patch are just related to the actual file fixed.

On 2/26/2021 at 9:32 PM, DennisHermannsen said:

I think you're asking a bit too much. WHMCS v7.6 was EOL'ed almost two years ago. How can you expect them to provide security updates for that version? It's a miracle that they even provide one for v7.7-v7.9.
If I was still on v5.3, I couldn't complain that there's no security fixes. It's just how it works.

No, they are not asking  too much. There are tons of bugs that are not fixed from new version to new version. If your whole system relies on a hook (which WHMCS forces you to use) or some API or function that is still not fixed, you cannot roll it out because it will cascade and break your whole billing/ordering website. How do you explain that to your customers? Sorry, we cannot fix this because we're using a software to which we don't have the source code and even if we want, we cannot fix it. How? How do you even fix something that is behind PHP encoded files? You can't. You completely rely  at the mercy of WHMCS to fix the issues. This can be tomorrow, or never. You really think people here are not upgrading because they are lazy or just don't want to run on the latest and greatest? That is not the reason. It's because of compatibility issues and bugs. It can really destroy your business and put your installation in an inoperable state until what you need is fixed.+

This is why most people that do run some business or customers on WHMCS test every new release and upgrade for days first before rolling from developing to production. And trust me, most find new bugs on every new release. Some are not even minor but huge bugs. And most of the time, they are also happy trigger to completely remove functions someone is using daily.

If you are running on a supported version, the patch is just uploading a few files, but I can completely understand if someone now is forced to do a full upgrade of their installation. Bye, bye weekend...

[bear]

11 minutes ago, yggdrasil said:

2 years for long term support on a software such a WHMCS is short, way too short to even call it Long Term.

I can't speak for the latest versions, but the list here seems to indicate it's a single year, at least for prior releases. 
https://docs.whmcs.com/Long_Term_Support

From that page was this interesting thing: "The LTS schedule, along with the severity of the identified issue, will determine what versions of WHMCS are candidates for any future refines. "
They claim this flaw is very serious, affecting all versions, yet nor serious enough to port to anything older than 7.7? 7.7 was around the time the one file in the patch was introduced in that folder. It didn't exist in prior versions. 

[yggdrasil]

On 2/27/2021 at 7:00 AM, DennisHermannsen said:

Well, if you don't find the security updates or bug fixes useful, you don't have a reason to upgrade then. There has been a lot of bug fixes for WHMCS since 7.6.
My argument is still valid - if I was on v5.3 (or even 1.3), I could say the same thing as you. That I don't want to be forced to upgrade because v5.3 has everything I need. You can't expect WHMCS to support versions that have been EOL'ed a long time ago. You don't see Microsoft patching security holes in Windows XP, even though that version is the golden version af Windows to a lot of users.

You don't need to use hooks to change the menu. You can change it as HTML if you want to. SSL checks can be disabled.

 

If you were a software developer, would you really want to support every version of the software that you developed? Your code base will most likely have changed between major versions, which means fixing security issues is not the same for each version.

Really? How do you change the sidebar menu links just using HTML? 

You can't!

You need to use PHP hooks. That said, it's not possible just to use HTML to change some things on WHMCS anymore, now you need a programmer just to change a color, a link or add an icon. This is troublesome for people that expect the software to come with a theme that you can edit in your regular web design/IDE software, and then they find out some things are not even available in the template files at all. Stuff that was in the template files in the past and was removed on later versions. It seems every new major WHMCS releases removes more than it adds. Like in WHMCS 8 people cannot even reset accounts passwords anymore... this is terrifying. Every time I see WHMCS announcing a major version, I'm afraid to open the link to see what was now removed...

Your web designer or webmaster cannot work with WHMCS anymore, you need a PHP developer now. This is not user-friendly in any sense for someone that is not using PHP for his/her website but expects HTML/CSS/JS like in with any other page or system.

I have nothing against hooks if you had both options available.  Example, change the same menu with a hook, or just by editing a template file. But instead WHMCS removed code from template files and now the code is behind Ioncube PHP files, and you can only interact with them using the ultra buggy hooks system that loves to break your installation and is an absolute nightmare in performance if you expect any decent traffic in your WHMCS website.

[yggdrasil]

28 minutes ago, bear said:

I can't speak for the latest versions, but the list here seems to indicate it's a single year, at least for prior releases. 
https://docs.whmcs.com/Long_Term_Support

From that page was this interesting thing: "The LTS schedule, along with the severity of the identified issue, will determine what versions of WHMCS are candidates for any future refines. "
They claim this flaw is very serious, affecting all versions, yet nor serious enough to port to anything older than 7.7? 7.7 was around the time the one file in the patch was introduced in that folder. It didn't exist in prior versions. 

That is the irony. They don't take a year to fix some bugs. They take years !!! I'm not even going to mention critical features, because then we are speaking about decades, yet WHMCS expects all their customers to run 1 year version behind.

I would have no problem with that if they also committed to fixing all bugs before a year, which they don't. This is also why they don't have a bug tracker in the open, as we would be able to see how long some things are still pending a fix.

I would be embarrassed to call this long term support. The folder for that patch, they just moved old code to new paths. It's the same files, but now they reside on the vendor library.

Edited February 28, 2021 by yggdrasil

[brian!]

1 hour ago, yggdrasil said:

Really? How do you change the sidebar menu links just using HTML? 

You can't!

you could do it in the sidebar template using Smarty (if you *had* to), but I get your point.

1 hour ago, yggdrasil said:

That said, it's not possible just to use HTML to change some things on WHMCS anymore, now you need a programmer just to change a color, a link or add an icon.

it's a disgrace that WHMCS have gotten away with that for years.

1 hour ago, yggdrasil said:

Every time I see WHMCS announcing a major version, I'm afraid to open the link to see what was now removed...

that assumes that they always tell you about everything that has been removed.