Security update just announced

[yggdrasil]

3 hours ago, brian! said:

you could do it in the sidebar template using Smarty (if you *had* to), but I get your point.

it's a disgrace that WHMCS have gotten away with that for years.

that assumes that they always tell you about everything that has been removed.

Of course, they don't because not even people working at WHMCS are aware of this. You will have someone replying on tickets that you can fully edit the client side using template files and themes, then when you ask some specific question like show me the file or the code, they back pedal and tell you it can only be done with hooks. All you need to ask is which file that code is editable? Because there is no code editable !!!! That means their initial answers are of course completely false, you cannot fully edit the front end using template files. You can't for years now. This is why people are complaining about bootstrap versions and many other things. Because the front ends have specific parts encoded...

Hooks are not template files. They are not injecting code into the smarty template files but some obscure Ioncube PHP file which you don't have access.

The fact they have encoded the sidebar is shockingly disgusting for a paid software and that is only 1 example. There are many other things. No surprise some people just remove it completely and recreate it from scratch using their own code, then of course you cannot use hooks anymore... Why WHMCS cannot offer both is beyond my human understanding.

It's unacceptable for me from a business perspective selling commercial software that they put front end code behind license protection as if your website is their property. What kind of person even imagined this was a good idea? Your website is not their property !!!

They have no right to put code that is rendered to your users/customers or the public behind license protections. When you need to create a PHP programming code to change a link on my website, it means something is terribly broken with the software or platform you are using. I want to believe this is a mistake and was never done on purpose, but they already released 2 major versions and this was not corrected which makes me seriously think they are doing this on purpose and in the future they will probably inject ads in your website, or why not, even redirect your visitors to their site randomly without your consent. Technically this is absolutely possible because they are now in control over what is rendered in your front website, and you have no way to see what the code does. If they can remotely change links in your site, you should be concerned. Because a hook is just overwriting the original code, the original code is behind a file nobody has access or can see except a few WHMCS developers.

Eventually competitors will catch up on this and even make a mockery about WHMCS. WHMCS hates designers and developers, that is for sure.

[bear]

39 minutes ago, yggdrasil said:

They have no right to put code that is rendered to your users/customers or the public behind license protections. 

While I have no knowledge of reasoning behind this, my impression is they wanted to be sure no one could steal actual important code, but they developed it in such a way that it's now far too intertwined to separate out properly and encode only the guts of it. Too many calls to protected functions, maybe, or just bad dev practices. Who can say? Easier to run the bulk through the encoder than to separate out only that which needs it.
Wasn't there some open source bits they use/used that were behind it as well, and folks tried asking why and got no valid explanation? Probably find the thread(s) on here, if they're still visible.

Ioncube encoding is only keeping honest people honest. Those that want the full source, well, they have ways. Cumbersome on us, that's a fact.

[yggdrasil]

 

 

6 hours ago, bear said:

While I have no knowledge of reasoning behind this, my impression is they wanted to be sure no one could steal actual important code, but they developed it in such a way that it's now far too intertwined to separate out properly and encode only the guts of it. Too many calls to protected functions, maybe, or just bad dev practices. Who can say? Easier to run the bulk through the encoder than to separate out only that which needs it.
Wasn't there some open source bits they use/used that were behind it as well, and folks tried asking why and got no valid explanation? Probably find the thread(s) on here, if they're still visible.

Ioncube encoding is only keeping honest people honest. Those that want the full source, well, they have ways. Cumbersome on us, that's a fact.

Bootstrap, TinyMCE is not their code to protect.

Ioncube which I also use is for PHP server side code. You are not supposed to use it on CSS, or HTML or JS which is rendered by the users browsers anyway and is fully viewable on the source code by anyone on the Internet. And you don't generate HTML, CSS or JS with PHP either. This is a bad practice and the reason you have a template system like Smarty or Twig, the whole idea of using template files is to completely separate design from logic, so that webmasters don't mess with programmers code and each one works on their code without affecting the other. WHMCS mixes everything, they generate classes from PHP (reason why people need to ask them to upgrade bootstrap...) or they generate some things with Smarty, and some with PHP, and then they even encode open source code like tinymce...They seriously need to clean up their code and stop hard coding user front inside PHP. This also includes some language variables which are still hard coded and cannot be translated.

Even if the whole software was fully open, and you could edit PHP it would still be bad practice. PHP should never generate user front end code that is browser rendered. Not at least on software you are selling to others and expect those people to modify the design. This is why you have template files, and separate things into structures and folders. This is the whole reason why projects even have a vendor's library (to be able to quickly update dependencies...).

And ioncube is heavily misused here as well. They are not protecting their software from piracy but just losing customers because anyone smart enough knows you cannot obfuscate code that runs in a system you control. It's not really rocket science to dump PHP from memory, unless WHMCS is not aware, its only stopping script kiddies and hurting honest people that pay their software. In the end, WHMCS is not that expensive as to pirate the software. At $120 per year for upgrades, that is still pennies if they are upgrading, patching and adding new features every year. I and everyone else that makes even a few bucks would happily pay for that privilege as even one hour of a decent developer would cost more. The ones that pirate WHMCS are not making any money in the first place, it's not as if they lost any customers as those people don't have any money to pay them in the first place. This is something game developers or even Microsoft has learned now. In fact, those people still are creating a parallel market for them and even potentially convert into paying customers some day.

[Damo]

There's lots of this discussion that interests me (on a few levels) but at the end of the day it's a choice to use WHMCS and if you don't like it (legally/ethically/best practices aside) then don't use it. 

WHMCS is not the same company it was. There is not the same interaction and personal level with the developer (Matt) it's now a corporate entity. Beating your head against a wall or waving your fist isn't going to get attention.

Legacy clients will be expected to drop off so it's better to cut them loose through policy. Legacy clients aren't going to bring continued revenue. Sadly that's a reality. 

[bear]

4 hours ago, Damo said:

Legacy clients will be expected to drop off so it's better to cut them loose through policy. Legacy clients aren't going to bring continued revenue. Sadly that's a reality. 

I'm sure they wouldn't lose any sleep if owned licenses were no longer in use, since the monthly revenue from leasing pays better. At least they still allow us to upgrade (if we wish, or are forced to) at a reasonable (though increased) cost, instead of the Kayako method of pricing us all out. 

I never expected to avoid upgrading completely, but being *JUST* on the other side of the released fixes for a serious sounding threat is incredibly disappointing. It's more likely, in my thinking, that the fix was nearly the same for the latest and those three older ones, and that's why it was rolled out to them also. Since the file structure is very different in versions older than 7.7, it would have meant more work to patch that as well, and less people must be on that.

If this flaw has existed back through far older versions (assuming from statements made by support), I'd wonder why the security audits we assume are happening never spotted it. 

[brian!]

4 hours ago, Damo said:

Beating your head against a wall or waving your fist isn't going to get attention.

there are (will be) ways to get attention and hopefully improve the situation at some point - granted posting here about issues is increasingly pointless, but I don't believe that we have quite reached the point of defeatism and surrender to the inevitable yet.

[yggdrasil]

5 hours ago, Damo said:

There's lots of this discussion that interests me (on a few levels) but at the end of the day it's a choice to use WHMCS and if you don't like it (legally/ethically/best practices aside) then don't use it. 

WHMCS is not the same company it was. There is not the same interaction and personal level with the developer (Matt) it's now a corporate entity. Beating your head against a wall or waving your fist isn't going to get attention.

Legacy clients will be expected to drop off so it's better to cut them loose through policy. Legacy clients aren't going to bring continued revenue. Sadly that's a reality. 

Except that isn't true. Legacy clients still need to pay the yearly support fees to keep updated. Its also indirectly a subscription fee. At least I have always paid it because I need the patches and security updates.