Jump to content

Security Updates after OCT 31th 2022 - OWNED License


jfcampos-Qualive

Recommended Posts

  • 2 weeks later...
  • WHMCS Support Manager

Hi @jfcampos-Qualive,

Security related updates for the minor version you last had access to, will be available. These do not require an active Support and Updates subscription and are available to download, install and run even should your Support and Updates subscription have lapsed.

Long Term Support policy rules do still apply, and you can only run the versions up to and including the latest available minor version at the time your Support and Updates access expired.

Link to comment
Share on other sites

6 minutes ago, WHMCS John said:

Security related updates for the minor version you last had access to, will be available. These do not require an active Support and Updates subscription and are available to download, install and run even should your Support and Updates subscription have lapsed.

Most of the security updates don't translate back more than a few versions, so small comfort in that. 😉

Link to comment
Share on other sites

  • 2 weeks later...
On 7/10/2022 at 3:12 AM, malfunction said:

Hilarious that WHMCS think 12 months is "Long Term Support".  Compare with Canonical, Microsoft and the like who seem to consider ~10 years to be the LTS standard.

You should be glad that they are at least clarifying for 12 months otherwise in otherwise they have already surprised to owned license owners 😶.

Edited by GoogieHost
Link to comment
Share on other sites

13 minutes ago, GoogieHost said:

You should be glad that they are at least clarifying for 12 months otherwise in otherwise they have already surprised to owned license owners 😶.

Is anyone with an owned license still running it on a public website? I'm seriously curious what they will do in one of the following instances:

1. You receive an email about a security hole from WHMCS. You are screwed, since you cannot fix the code. You will be forced to subscribe in order to get the updates to the security patches, and since you are on older version it's going to probably take more work than usual. So far, it seems those owned users are still lucky that no such thing has happen...yet...that mail is coming anytime.

2. You will eventually need to upgrade PHP, or MySQL on your server. Your owned license probably does not support PHP 8. Again, you are screwed since you can't update the code to make it compatible. Again, you need to upgrade WHMCS. Ioncube the company is more or less going down the pipe, they don't even have their software compatible with PHP 8 for over a year, this ironically is now also screwing WHMCS as they can't make their software compatible for PHP 8 for that reason. The rumor is that Ioncube is going bust...as they can't really make their encoders work well with PHP 8 (performance seems horrible and they can't still make it secure either...)

That would be a real irony since just like we depend on WHMCS for the code, WHMCS now depends on Ioncube to keep selling their software.

I hope everyone understands that the owned licenses were never owned in the first place. You don't own the code, you don't even get to see it, you can't secure it, you can't upgrade it, you can't fix bugs or change it. It's not your software, never was. People had no issues with this model for years because WHMCS was a cheap PHP software and it had many competitors. But they also changed as a company.

Running a website that process customers data and payments outdated, and you are going to probably be liable once your customers data is stolen, or their billing info stolen, or someone orders spam services or just breaks your whole installation. It's not a question of if, but when...

I don't think owned licenses have any choice except:

1. Upgrade to a subscription WHMCS plan

2. Move to something else.

I'm curious who here is actually still on an owned license. I suspect most have already moved or upgraded to a subscription. It would be crazy to keep running WHMCS on a very old release. Owned users probably still have a few more months but time is not on their side. They probably have to come up with some decision to 1 o 2 before the end of this year.

Anyone here with an owned license reading this, be warned, if a security hole is found, you will have no choice but either upgrade WHMCS to patch it right away (hours, not days) since bots will either already know your site or scan the web to find it or you will have to take the whole installation offline until you can either upgrade or migrate to something else. Both scenarios take time, and this is not something you want to be doing under pressure, on a weekend or out of the blue. I suspect most people already planned a move or upgrade but since someone just asked this I suspect many people still think their owned licenses are receiving security patches. Well, the question is no. And they will not receive one either.

Link to comment
Share on other sites

8 hours ago, yggdrasil said:

Is anyone with an owned license still running it on a public website? I'm seriously curious what they will do in one of the following instances:

1. You receive an email about a security hole from WHMCS. You are screwed, since you cannot fix the code. You will be forced to subscribe in order to get the updates to the security patches, and since you are on older version it's going to probably take more work than usual. So far, it seems those owned users are still lucky that no such thing has happen...yet...that mail is coming anytime.

2. You will eventually need to upgrade PHP, or MySQL on your server. Your owned license probably does not support PHP 8. Again, you are screwed since you can't update the code to make it compatible. Again, you need to upgrade WHMCS. Ioncube the company is more or less going down the pipe, they don't even have their software compatible with PHP 8 for over a year, this ironically is now also screwing WHMCS as they can't make their software compatible for PHP 8 for that reason. The rumor is that Ioncube is going bust...as they can't really make their encoders work well with PHP 8 (performance seems horrible and they can't still make it secure either...)

That would be a real irony since just like we depend on WHMCS for the code, WHMCS now depends on Ioncube to keep selling their software.

I hope everyone understands that the owned licenses were never owned in the first place. You don't own the code, you don't even get to see it, you can't secure it, you can't upgrade it, you can't fix bugs or change it. It's not your software, never was. People had no issues with this model for years because WHMCS was a cheap PHP software and it had many competitors. But they also changed as a company.

Running a website that process customers data and payments outdated, and you are going to probably be liable once your customers data is stolen, or their billing info stolen, or someone orders spam services or just breaks your whole installation. It's not a question of if, but when...

I don't think owned licenses have any choice except:

1. Upgrade to a subscription WHMCS plan

2. Move to something else.

I'm curious who here is actually still on an owned license. I suspect most have already moved or upgraded to a subscription. It would be crazy to keep running WHMCS on a very old release. Owned users probably still have a few more months but time is not on their side. They probably have to come up with some decision to 1 o 2 before the end of this year.

Anyone here with an owned license reading this, be warned, if a security hole is found, you will have no choice but either upgrade WHMCS to patch it right away (hours, not days) since bots will either already know your site or scan the web to find it or you will have to take the whole installation offline until you can either upgrade or migrate to something else. Both scenarios take time, and this is not something you want to be doing under pressure, on a weekend or out of the blue. I suspect most people already planned a move or upgrade but since someone just asked this I suspect many people still think their owned licenses are receiving security patches. Well, the question is no. And they will not receive one either.

Or make a deal with WHMCS team to fix the security bugs in our versions, via some paid support deal. Most likely WHMCS would be willing to do this, because they halfly already ruined their name with what they have done the last few years, and ruining perfectly good hosting companies by not offering security fixes would make a bad situation even worse for them. Or we simply just remove the encoding on the files, and fix the bugs ourself. Ioncube has been broken for a long time now, and its a waste of time encoding any files. The encoding can be removed very cheaply by online services, and yes also WHMCS they just added some extra security checks in their source, so a direct 1=1 decoding of whmcs does not work, but you can replace quite a bit of the original encoded files, with decoded files before whmcs starts spitting errors out.   

Link to comment
Share on other sites

On 7/22/2022 at 1:57 PM, lulzkiller said:

Or make a deal with WHMCS team to fix the security bugs in our versions, via some paid support deal. Most likely WHMCS would be willing to do this, because they halfly already ruined their name with what they have done the last few years, and ruining perfectly good hosting companies by not offering security fixes would make a bad situation even worse for them. Or we simply just remove the encoding on the files, and fix the bugs ourself. Ioncube has been broken for a long time now, and its a waste of time encoding any files. The encoding can be removed very cheaply by online services, and yes also WHMCS they just added some extra security checks in their source, so a direct 1=1 decoding of whmcs does not work, but you can replace quite a bit of the original encoded files, with decoded files before whmcs starts spitting errors out.   

Well, good luck with that approach. Personally, I don't think that is a proper plan since it's based on assumptions that you can either patch your installation or WHMCS is going to do it for money (which they will not since they want to stabilize users into similar versions and not having to keep maintaining different software releases...).

And about removing the encoding... How is that going to work?

Are you going to pay to remove every single file until you find the one that has a security hole? To some obscure fraud online service which doess piracy and can just run with your money?

Even assuming you even know which file that is since WHMCS is not going to tell you exactly what the security hole or fix is either. You now have to basically audit your own WHMCS version for security bugs which is going to be more expensive than to just subscribing to WHMCS. If you can actually maintain your own old WHMCS version, then it's going to be more expensive in development than something that works. And the decoding of Ioncube is far from perfect, most classes and functions are not the same and it just assumes how some things work and you will have to recreate the code to make it work properly. And while there are some decoded versions online for WHMCS they are not actually decoded but the source code leaked which is why they work and they are very old releases plagued with many security holes that you would be insane to even try to put on a live production site, not to mention most things in WHMCS already changed to use newer API's for domain modules, payments, etc., in that ancient release they will not work properly anymore or again, you will have to recode them to upgrade them.

If you actually have that sort of resources, you might as well just create your own WHMCS software from scratch since maintaining someone else's code is probably more work than creating your own.

Believe it or not, the subscription to WHMCS is still cheaper than any of the options you proposed. And if you don't want a subscription, your only option is to migrate to something else. I'm not trying to be negative here, I'm just being realistic. I suspect many people have explored their options and I do know one thing. Staying on an old WHMCS version for ever is absolutely no business plan or option for anyone. I know that, WHMCS knows that.

If you want to use WHMCS, your only options are to subscribe or move to something else. Personally, I'm not sticking around until a security hole hitting the door next month, or next week or tomorrow. If you value your business, it's like playing with fire if you don't upgrade software on a regular basis. It might work for some time, but you will have to upgrade at some point.

Edited by yggdrasil
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated