Jump to content
Sign in to follow this  
DennisHermannsen

We need to talk about the "security warning" during an upgrade, WHMCS...

Recommended Posts

I'm currently upgrading our last WHMCS installation to WHMCS 8.1.3. It's taking quite some time because of the changes to the tblemail table.
During all of the time (a period of 30+ minutes), everyone accessing our website is met with this message:

billede.png.8cdb6df064fc8e3cd50ea8fb7d69b8b0.png

Since I've enabled maintanance before starting the upgrade, I surely wouldn't expect WHMCS to show anything but the maintanance message.
Also, why is WHMCS even broadcasting to every visitor that there's a /install folder present on the website? Everyone can access it by default (it requires no login) and thus everyone could mess everything up.

Share this post


Link to post
Share on other sites

Good points. For the time being, maybe update your .htaccess file to restrict access to the site to your IP only? Then remove the rule after the upgrade is completed and the install folder has been deleted. Not the best solution but it's something in the short term.

Share this post


Link to post
Share on other sites
6 hours ago, evolve hosting said:

Good points. For the time being, maybe update your .htaccess file to restrict access to the site to your IP only? Then remove the rule after the upgrade is completed and the install folder has been deleted. Not the best solution but it's something in the short term.

Expanding on that, using rewrites to check the IP and rewrite to a maintenance file would allow access without a forbidden error shown to clients. 

RewriteEngine on
RewriteCond %{REMOTE_ADDR} !=1.2.3.4
RewriteRule ^(.*)$ /maintenance.html [R=301,L]

 

Share this post


Link to post
Share on other sites

You sure a 301 (permanently moved) redirect is the desired choice there? 302 would be temporary. 😉

Share this post


Link to post
Share on other sites
Posted (edited)

We did end up disabling it through .htaccess - but my main concern is that WHMCS doesn't use the maintanance warning instead, and that they basically scream "HEY, THIS WEBSITE IS INSECURE!!! TRY GOING TO /INSTALL TO SEE FOR YOURSELF"... That could be handled a lot more nice.
Imagine if WHMCS also put up a public warning for each website that used en EOL version of PHP... 😅

Edited by DennisHermannsen

Share this post


Link to post
Share on other sites
6 hours ago, DennisHermannsen said:

Imagine if WHMCS also put up a public warning for each website that used en EOL version of PHP... 😅

don't be giving them ideas... 😲

"thank you for contacting support - you'll either need to pay us $9.99 USD to remove the banner from your public site for 12 months... or alternatively, you can upgrade your version to a newer supported release." 🤑

Share this post


Link to post
Share on other sites
20 minutes ago, brian! said:

don't be giving them ideas... 😲

I'm fairly certain they're out of ideas already. In a month or so, there's going to be a new post to this thread with a message looking like this:
 

Quote

Hi @DennisHermannsen,

That is not something we have planned for WHMCS 8.x

However we welcome requests for new API commands online at http://requests.whmcs.com
Feel free to suggest this as a new idea for comment and voting upon by other WHMCS users.

The more votes an idea receives, the more likely it is to be considered by our development team for potential inclusion in a future feature update.

I can then see that the request get 1 or 2 upvotes because nobody uses that system unless they're referred to it... 😆

I don't get why everything has to be a feature request. Fixing something that's clearly broken shouldn't have to be requested.
But someone at WHMCS will obviously argue that it's by design 🤯

Share this post


Link to post
Share on other sites
Posted (edited)

This is why I always upload the installation folder last, then quickly do the upgrade and delete it. But at least in version 7.x this is not shown to visitors, only when you try to access the admin area.

Edited by yggdrasil

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated