WHMCS - Critical Security Advisory for 5.2.8 - Our Support System Temporarily Disabled

[Michael D.]

Hello,

Unfortunately another exploitable hole has been found in the billing software we use and offer called WHMCS. Until this exploit is patched our support system will be unavailable and we will perform any required tasks via email. The email addresses are support,billing,sales @mddhosting.com.

We are still here and working - so if you need anything just shoot us an email to the appropriate address and we'll handle your issues.

We have investigated on our end and verified that we have not been hit with this exploit and no data has been viewed or stolen by a third party.

This action is required to keep your client information safe and we apologize for any inconvenience this may cause you.

[Brad]

Is this an exploit that has been discovered after they released the Oct 3rd patch?

[Michael D.]

It's a new exploit - one on October 3, and now one on October 17.

 

We're in the process of putting a web application firewall between the internet and our WHMCS installation so that we can bring it back online securely as well as putting some targeted rules in our internal firewall specific to this exploit.

[Michael D.]

Our billing system is now behind a Web Application Firewall that will catch and stop exploit attempts such as these. In addition to this - we've placed some specific mod_security rules for WHMCS in our Corporate Server to help prevent anything specific to WHMCS should it somehow slip past our Web Application Firewall.

 

Lastly - a patch is available. We have updated and should now be secure from the original exploit even without the WAF and the mod_sec rules, but three layers of security is better than none.

[Michael D.]

I tried to send out an email to all of our customers running WHMCS, however, it appears the "Mass Mail" feature of WHMCS is broken in 5.2.9. I will be sending out direct emails one-by one so I apologize if you don't get this message quickly. I'm posting a copy here for those that are watching:

 

 

A patch has been issued for the critical WHMCS security issue we emailed you about around 9 hours ago. You can get the incremental patch from http://blog.whmcs.com/?t=80223 if you're already on version 5.2.8. You can download the full version of the patched version 5.2.9 from our support system if you are not on 5.2.8 currently.

Directions for getting the full version:
1. Log into our support system at http://www.mddhosting.com/support/
2. Select "Services" in the top navigation bar, it is the second option from the left.
3. Select "My Services" in the drop-down menu.
4. Click "View Details" next to the Reseller or Dedicated Server account that you purchased with included WHMCS.
5. Across the top you will see a tab titled "Downloads", and once you click on it you will see WHMCS Listed. Simply click on the "Download" link to begin the download.

WHMCS themselves provide the absolute best support for their software and direct support is available at https://www.whmcs.com/members/submitticket.php?step=2&deptid=13 .

Any support issues pertaining to the installation, upgrade, integration, or management of WHMCS should be directed to their support department.

You can get upgrade assistance directly from WHMCS at http://www.whmcs.com/services/upgrade-service/ if you require it.

[Michael D.]

All of our customers that have a WHMCS License from us have been notified via email.

 

We are now going to close out this issue as resolved, however, you are welcome to post any questions you may have.