Leaderboard

I saw this article mentioned in the ARIN mailing list recently, and found it quite interesting. http://www.renesys.com/2013/11/mitm-internet-hijacking/ Apparently, route hijacking has been on the rise in 2013. Worth the read if you have a few minutes.

Hello, We are currently developing a tcadmin module. Of course it's going slow but we plan on having a full working version out soon. We are still debating on if we will offer this module for free or for a very small monthly licensing fee. Don't pay attention to the horrible logo job. We'll update as we keep moving forward on this project.

This is added in CORE-810 for v3.1 as a department-level override setting for the Support Manager plugin.

Yeah I understand mate, I try to put that on my website .

No problem glad to have been of assistance. License to only shows the company name, in the settings. 1. Yeah I agree would be nice to show you that it's updated like we have on the reseller portal (License key updated: owned-000000000000000000) 2. Should be active else it will show a error that your not licensed. 3. If you by from a reseller like myself, we provide the support, and you get support here on the forum. If you are a Blesta customer you can contact them via the client area ticket system or here. 4. Same as 3.

Paul is referring to disabling CSRF token validation for the client login page only. Disabling CSRF token validation on a login form does not introduce any security vulnerabilities. At best an attacker that knows a particular user's login credentials could trick that (or another) user into logging into that system. Of course, if your login credentials are known to an attacker you have bigger problems to worry about.

WHMCS does not validate CSRF tokens on login.

Restarted the server running the forums this afternoon (around 4pm pacific time) and it wouldn't come back up.. kernel panic. ugh So, I had to restore it and we may have lost a few posts, as the most recent backup was apparently corrupt.. so the one from an hour previous was restored. We back up the forums every hour, with significant retention, and I'm considering backing up more frequently. The client area is on another server, so completely unaffected.. and that one is backed up more frequently. If we lost one of your posts, sorry about that. I'm guessing we may have lost a couple.

My post was one of those that got ate. No big deal, I'll remake. At least we had a recent backup to work with... so that's good to know. I was wondering why my post disappeared until I went and found my e-mail with the link, which directed me to here. Nice, that.

I know, crazy huh.. our old forum was vbulletin 3.7, which apparently isn't affected. I never could get myself to upgrade to v4 or v5, and opted to go a different route.

It's not the mobile, forum is laggy as F*. ANd he didn't finish paying, how much, we'll donate a bit towards it.

With all due respect, Ken, only some random troll would think the security work we do is for publicity. In the last year alone we have found in excess of 200 security vulnerabilities in almost every popular hosting application and every popular hosting control panel. We are the reason cPanel assembled a new security team and the sole reason their backup system is being rewritten from scratch. Not only have we found all of those security vulnerabilities which have/are being handled responsibly, but we came up with a few new exploit techniques previously unheard of! I fail to see how you think we are doing all of this for "publicity" unless you believe we should not be writing advisories at all to get our name out there? You clearly do not understand the amount of time and effort that goes into our work to help making the hosting community safer. Should we not be compensated in the form of advertising by posting advisories and/or offering our services? I just can't wrap my mind around how anyone could have an issue with the work we do!

I'd say at this point hand it off to someone like Rack911 or one of the other trustworthy security firms. Let them do their thing and, if appropriate, post on WHT. If you make a public disclosure, it would immediately be shouted down as a conflict of interest.

Unfortunately the inclusive tax feature doesn't work. If I set an inclusive tax and add a new invoice, the tax is always added to the price. :-(