arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
WHMCS Security Advisory 2020-01-28 [ONLY FOR PEOPLE WHO USE WHMCS]
#1
I received a few minutes ago at 4:37 PM GMT 01 + 00 Amsterdam / Netherlands. An email about a security issue from WHMCS. Since here are a number of providers who use it, I am sure that they have been informed of the same email content that I have received.

[EMAIL CONTENT]
Hello,

We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.

Affected Versions

WHMCS 6.0 and later

How to tell if you're affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

https://www.example.com/path/to/whmcs/ve...er/LICENSE
A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

How to fix the vulnerability

Please follow the instructions provided in the detailed security advisory:

WHMCS Security Advisory 2020-01-28

WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.

Kind regards,
WHMCS
[END OF MESSAGE]
To do this, proceed as follows.
1.) Download the file: Security Advisory 2020-01-28 Verification Tool
2.) Upload the file in the WHMCS path.
3.) Enter the following address in your browser: (SSL) (WHMCS) https://your.domain/security_advisory_20...n_tool.php - or to the folder where your WHMCS is set.
4.) Perform the check and this script will tell you if your WHMCS version is infected. If your WHMCS is not infected with the security issue, you can remove the check at the bottom of the page (recommended).
5.) If you are infected, make sure that you solve this problem as soon as possible follow these links to their docs page: https://docs.whmcs.com/Security_Advisory_2020-01-28. Can't you solve it? Open a support ticket at WHMCS so that they can help you further.

(Inform for users at hostlease, our WHMCS is not infected!)
#2
Thanks for posting the Roundup Jordy. Myself I don't use WHMCS of course, but a close friend of mine does, and I've informed this over to him on Discord. As far as the information I've about his version, and by the security test mentioned above I could see that this vulnerability does affect his WHMCS installation as well.

Thanks for the heads-up again. It'll surely help many of us.

Regards,
Sayan Bhattacharyya,

Heartiest thanks to Post4VPS and Virmach for my wonderful VPS 9!



person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting