Summy Posted March 4, 2009 Share Posted March 4, 2009 I'm just wondering if it is fairly safe to remove unused modules, i.e. payment gateways, server modules and the like from my WHMCS install. Also, is there any way in which I can find out what PHP files require HTTP access, other than those in the root folder and admin root folder? I plan to remove any unused modules, and secondly remove access (via .htaccess) to any PHP files that don't require direct access. 0 Quote Link to comment Share on other sites More sharing options...
chickendippers Posted March 4, 2009 Share Posted March 4, 2009 Why bother removing them? They don't do any harm or slow the system down. 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted March 4, 2009 Share Posted March 4, 2009 Wouldn't say that I would remove unused payment gateway modules. We had an incident not so long ago where an order was authorised fraudulently by the user submitting a callback to the Quantam Gateway to clear the invoice. 0 Quote Link to comment Share on other sites More sharing options...
Summy Posted March 4, 2009 Author Share Posted March 4, 2009 (edited) Thanks openmind, that's exactly the kind of thing we want to prevent. Chickendippers the reason is purely as a precautionary measure. I'm not saying it's a risk leaving unused modules laying around, but for the 5 minutes it takes to remove any unused scripts, or remove direct http access to them, it's time well spent. If anyone else can chirp in, perhaps from WHMCS or first hand experience, I guess it's going to be a 'suck it and see' test. Edited March 4, 2009 by Summy 0 Quote Link to comment Share on other sites More sharing options...
XN-Matt Posted March 6, 2009 Share Posted March 6, 2009 Same thing re: Quantum gateway happened to us just now. Order, and paid using a gateway that we dont even have active! That's a massive **** up and surely there should be some error checking to prevent it! Data was: invoice_num => 252866 trans_result => APPROVED transID => 462570 amount => 64.99 cust_id => ID => 252866 max_score => 0.00 authCode => 194521 avs_result => Y cvv2_result => M md5_hash => NA decline_reason => errorcode => 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted March 6, 2009 Share Posted March 6, 2009 From what Matt told me there was noting to prevent this happening as the Quantum gateway is easily spoofed with a fake callback 0 Quote Link to comment Share on other sites More sharing options...
XN-Matt Posted March 6, 2009 Share Posted March 6, 2009 Phil, Do you know if thats the only one? Cheers M 0 Quote Link to comment Share on other sites More sharing options...
openmind Posted March 6, 2009 Share Posted March 6, 2009 Not sure. To be safe I just binned all the gateways I wasn't using... 0 Quote Link to comment Share on other sites More sharing options...
Summy Posted March 6, 2009 Author Share Posted March 6, 2009 Ok so here is the chaff that we've removed so far, and all seems to be working ok, although this is a test environment, we have yet to go live with whmcs. 1) Removed all ununsed admin, fraud, gateway, registrar and server modules. The only modules remaining on our set up are: enom, enomssl, maxmind, worldpayfuturepay (and the associated callback), and cpanel. 2) Placed .htaccess files with the following instructions: Order allow,deny Deny from all in these folders: ./includes ./lang ./libs ./modules ./pipe 3) So that the callback works, placed the following .htaccess file in the callback folder: # This needs improving to match the RBS WorldPay IP/Domains Order allow,deny Allow from all 4) Placed the following .htaccess file in the ./templates folder: <FilesMatch "\.(tpl|php|ini)$"> Order allow,deny Deny from all </FilesMatch> I'm not saying this is perfect, or that it won't break anything, as we're simply testing with it at this stage. Once we work out exactly what can be trimmed we'll put it all in the apache config, as having .htaccess files all over the place is going to be a tad messy, unless its something WHMCS can consider including in the releases. There is a lot of folders/files that don't really need to be in the web root, but this is further consideration for WHMCS. For now we have to just be happy with blocking http access to them. It may also be an idea to to add an htaccess block to the following file in the root folder: "dbconnect.php", probably others as well. 0 Quote Link to comment Share on other sites More sharing options...
Chrisw Posted March 6, 2009 Share Posted March 6, 2009 Same thing re: Quantum gateway happened to us just now. Order, and paid using a gateway that we dont even have active! That's a massive **** up and surely there should be some error checking to prevent it! Data was: invoice_num => 252866 trans_result => APPROVED transID => 462570 amount => 64.99 cust_id => ID => 252866 max_score => 0.00 authCode => 194521 avs_result => Y cvv2_result => M md5_hash => NA decline_reason => errorcode => have you inspected your Weblogs to see how it was passed over? 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.