Here We Go Again, What Is Going To Break Now.

[Gareth-Host Red Dragon]

WHMCS Security Advisory for 4.x and 5.x

 

WHMCS has released new patches for the 4.5, 5.0, 5.1, and 5.2 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as including critical or important security impacts. Information on security ratings is available at xxxxxxxxx.

Releases

The following full-release versions of WHMCS have been published and address all known vulnerabilities:

5.2.6

The latest public releases of WHMCS are available inside our members area at xxxxxxxx

PLEASE NOTE: The 4.5 series reached End Of Life as of June 30th 2013. WHMCS is aware that some customers have not moved to an LTS version due to the newness of the LTS policy. The related 4.5 patch release published along with this Security Advisory is provided as a courtesy to those customers. From this point forward, there will be no more patches provided for 4.5 or any other release that has reached EOL.

Security Issue Information

The resolved security issues were identified and reported by

Vlad C. of NetSec Interactive Solutions http://safeornot.net

Rack911 https://www.rack911.com

FastVPS Eesti OU http://fastvps.ru

WHMCS development team.

There is no reason to believe that these vulnerabilities are known to the public. As such, WHMCS will only release limited information regarding the vulnerabilities at this time.

Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issue.

These Targeted Security Releases and Patches address 9 vulnerabilities in WHMCS versions 4.5, 5.0, .5.1, and 5.2.

 

Here we go again, what is going to break now.?????

 

oh and 

 

These Targeted Security Releases and Patches address 9 vulnerabilities in WHMCS versions 4.5, 5.0, .5.1, and 5.2.

 

Really thinking about going live with blesta right now, rather than wait to the 5 august

[cloudrck]

I've been live since b2. Blesta has come a very long way since than. Aside from a few issues that had to be fixed manually it's been fairly stable compared to what's on the market. I never considered WHMCS due to the security issues they've had, leaves a bad taste in my mouth knowing they have such poor coding standards.

[Paul]

It is getting pretty ridiculous. Someone commented on Facebook..

 

After patching to 5.1.8, my View/Search Clients page is not right. Is it just me or is anyone else seeing this on that version?

[SkylarM]

My search clients section hasn't worked since .4 I think? Do a search sometimes comes up with nothing sometimes shows the same client id/client 3-5 times for no reason. "Check all" on a lot of pages hasn't worked in forever.

 

Please please please get SolusVM additional provisioning features in soon, I want to be done with WHMCS.

 

 

^ Seriously?

[Paul]

 

^ Seriously?

 

What is that?

[Michael]

Any good before I waste my time f**king up my WHM**? I've had it with that shit software. But likewise I will need it for my domains haha so as-long as that works i'm ok, but ffs they have to keep releasing security patches.

[SkylarM]

What is that?

Blue square is the "check all" box in WHMCS. Boxes below that are the boxes not being selected all.

[chickc]

I run WHMCS Version: 5.2.5 and haven't had all that many issues with it, but it does get costly having to upgrade every 5 mins. due to security issues. And there are many quirks in their structure (such as invoice numbers changing upon manual input received payment).

 

But isn't that why most of us are here? We all have high hopes for Blesta to kick their programming butts.

 

Now, if I could only find someone to build me a Client Group Pages plugin.

[Michael]

I run WHMCS Version: 5.2.5 and haven't had all that many issues with it, but it does get costly having to upgrade every 5 mins. due to security issues. And there are many quirks in their structure (such as invoice numbers changing upon manual input received payment).

 

But isn't that why most of us are here? We all have high hopes for Blesta to kick their programming butts.

 

Now, if I could only find someone to build me a Client Group Pages plugin.

thing is we have to upgrade shortly else there are 9 issues which could cause us to be hacked or exploited but no way am I upgrading if it breaks more than it's worth.

[SkylarM]

Install is broken. "An upgrade is currently in progress" Order forms didnt work, etc etc. wth

[Michael]

Install is broken. "An upgrade is currently in progress" Order forms didnt work, etc etc. wth

oh my days. Thank god I'm not upgrading yet.

[silvatech]

I don't agree with them basically black mailing their customers to upgrade. How so you may ask? Well, (unless I am misinterpreting) becuase they have stated that in the near future they will release how the nine exploits are done. This would leave anyone vulnerable that has not updated.

 

:"Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issue."

 

Now, I am sure they are not going to give exact instructions, but any good information on the exploit and most hackers can pick up on the rest rather quickly.

[Michael]

I don't think they will release how to as they've not done that before, I believe they will say how the exploits happened like they could get in via whois etc.

[Paul]

I suggest upgrading ASAP, some broken stuff is better than a compromise. With a patch out, all an attacker has to do is run diff on the files to see what they changed and they will know the attack vector.

[SkylarM]

It's working now, Paul when you release an update if it doesn't work, for the love of god don't just over-write the download and label it as the same version number. There's literally no way to know that the 5.2.6 is a different upload than the one uploaded last night.

[Paul]

It's working now, Paul when you release an update if it doesn't work, for the love of god don't just over-write the download and label it as the same version number. There's literally no way to know that the 5.2.6 is a different upload than the one uploaded last night.

 

You don't have to worry about that, any change automatically calls for a new version number and release. What they are trying to do is avoid the embarrassment of patching a patch. We're a little less amateurish.

[Michael]

You don't have to worry about that, any change automatically calls for a new version number and release. What they are trying to do is avoid the embarrassment of patching a patch. We're a little less amateurish.

Yep you did 3.0.0 B6 r2 so we know  

 

Also had to upgrade now since Matt assured me there was no bugs in the build 4.

[Paul]

Yep you did 3.0.0 B6 r2 so we know

 

Also had to upgrade now since Matt assured me there was no bugs in the build 4.

 

They are on their 4th build for the same patch now? 

[SkylarM]

They are on their 4th build for the same patch now? 

Build 3 had issues, so they "fixed" it with build 4. They have since re-patched build 4 3 times now without changing the build number, which you can only see the build number if you go digging through files to find the build number.

[Michael]

Build 3 had issues, so they "fixed" it with build 4. They have since re-patched build 4 3 times now without changing the build number, which you can only see the build number if you go digging through files to find the build number.

Well I just downloaded the one now which is build four.

 

I had this reply:

 

 

 

Hi Michael,

You should apply the 5.2.6 update to your WHM** installation in order to upgrade and ensure your installation is protected against the issues that have been identified. There are no known bugs in that release at this time, it has been through extensive testing, and the only issues have been the incorrect packaging of a couple of additional files resolved in build 4 and then the mistaken release of the 5.3 files under the same name again related to the packaging process rather than a functionality or coding bug.

Regards,

Matt

[Hostlumina]

This patches and upgrades are a joke. 

[MemoryX2]

This patches and upgrades are a joke. 

 

You've got that right.

 

I want to put Blesta into production, its just enom....  otherwise I would be done with WHMCS, and I can't wait because of garbage like this..

[Michael]

New upgrade 5.2.7 which apparently fixes old bugs however makes more bugs...

 

Quoted by Jay @ LP:

I've just upgraded to 5.2.7 and now I can't process any upgrades/downgrades from the admin side. It directs the popup window to admin/upgrade.php which doesn't exist. Guess I need to wait for the next patch to fix that problem, which will likely introduce even more problems...

 

[SkylarM]

Glad to see WHMCS is fixing their issues. Wait......

[Michael]

Glad to see WHMCS is fixing their issues. Wait......

yep wait 500 years and maybe they might be back to their normal selves.