Jump to content


Photo

WHMCS - Critical Security Advisory for 5.x


  • Please log in to reply
4 replies to this topic

#1 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,665 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 October 2013 - 05:00 PM

Below is the contents of the WHMCS Notice found here for your convenience.

============

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels.

Releases
The following patch release versions of WHMCS have been published to address a specific SQL Injection vulnerability:
v5.2.8
v5.1.10

Security Issue Information

The resolved security issue was publicly disclosed by "localhost" on October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.

Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.8 (full version) - Downloadable from our Support System
v5.2.8 (patch only; for 5.2.7) - http://go.whmcs.com/...528_Incremental

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.10 (patch only; for 5.1.9) - http://go.whmcs.com/...110_Incremental

To apply a patch, download the files indicated above and replace the files within your installation.  No upgrade process is required.

All version of WHMCS are affected by this vulnerability, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

http://docs.whmcs.co...ng_Term_Support

 

========

 

All resellers have been notified via email about this issue.


  • 0

Michael Denney - MDDHosting, LLC - Professional Hosting Solutions
LiteSpeed Powered - Shared, Reseller, Premium, and VPS
Incremental R1Soft CDP Backups on all shared, semi-dedicated, and VPS services!
http://www.mddhosting.com/- Follow us on Twitter!


#2 frankacter

frankacter

    Member

  • Clients
  • PipPip
  • 46 posts
  • Gender:Male

Posted 03 October 2013 - 06:06 PM

Michael,

 

Will this update applied to VPS accounts by MDD support?

Frank


  • 0

#3 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,665 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 October 2013 - 06:24 PM

Frank,

 

I do not believe you're running WHMCS but WHM [from memory without looking at your account details].  If you are running WHMCS - then it's up to you to perform the update.  If you're unable to do so - WHMCS does have a service for this -> https://www.whmcs.co...pgrade-service/

 

Honestly though - updating WHMCS is as easy as following the directions provided in the update file.  For the incremental you just upload the files over the existing files.  For the complete - you would do the same thing but it may overwrite customizations if you're not careful using the full package.


  • 0

Michael Denney - MDDHosting, LLC - Professional Hosting Solutions
LiteSpeed Powered - Shared, Reseller, Premium, and VPS
Incremental R1Soft CDP Backups on all shared, semi-dedicated, and VPS services!
http://www.mddhosting.com/- Follow us on Twitter!


#4 frankacter

frankacter

    Member

  • Clients
  • PipPip
  • 46 posts
  • Gender:Male

Posted 03 October 2013 - 06:50 PM

You are exactly right Michael, I'm using WHM. 

 

That said, spotted this in the CloudFlare blog:

http://blog.cloudfla...day-on-day-zero

 

A nice stopgap for admins until they get the patch in place.


  • 0

#5 MikeDVB

MikeDVB

    Forum Administrator

  • Staff Administrator
  • PipPipPipPipPip
  • 2,665 posts
  • Gender:Male
  • Location:Central Indiana, USA

Posted 03 October 2013 - 06:57 PM

Indeed - CloudFlare is a nice solution for some protection against such attacks.  It's not perfect - but it can help.

 

In this case I do not believe they would have protected against the issue before they added the rule set otherwise they wouldn't have had to add the rule set.  We were attacked before CloudFlare had added this to their rule set I do believe.


  • 0

Michael Denney - MDDHosting, LLC - Professional Hosting Solutions
LiteSpeed Powered - Shared, Reseller, Premium, and VPS
Incremental R1Soft CDP Backups on all shared, semi-dedicated, and VPS services!
http://www.mddhosting.com/- Follow us on Twitter!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users