Security Advisory – HostBill versions 4.x

Lawrence · June 11, 2013, 04:05:46 AM

There's been a security advisory for HostBill versions 4.x. This applies for anyone under the 4.x branch.

If you have the auto patcher, use it. If you'd rather update manually, continue reading.

You can download the security patch here.
- https://hostbillapp.com/clientarea/patches/hostbill_patch4.6.4_4347.zip

When you've downloaded the security patch, extract the contents into the main HostBill directory.

CBlade · June 11, 2013, 07:00:03 AM

What this one about?

UCG_Keith · June 11, 2013, 09:10:12 AM

Hi Lawrence,

Curious about the security patch; where is the CVE about the issue? Was it published by HostBill?

Lawrence · June 11, 2013, 01:07:04 PM

This was posted here,
- http://extras.hostbillapp.com/

nldaniel · June 19, 2013, 12:55:38 AM

Looks like we might be in for some rough waters;

http://www.webhostingtalk.com/showthread.php?t=1277173
http://vpsboard.com/topic/786-hostbill-source-code-released-and-0-day-exploits-found/?p=11769

I'm still downloading to see what actually could be vulnerable; regardless we've still taken measures and disabled public hostbill in light of current SolusVM hacks.

Edit: Looks like just the front index.php got decoded; nothing backing up the "exploits found" claim

Patrick · June 19, 2013, 01:43:50 AM

Quote from: nldaniel on June 19, 2013, 12:55:38 AM
Looks like we might be in for some rough waters;

http://www.webhostingtalk.com/showthread.php?t=1277173
http://vpsboard.com/topic/786-hostbill-source-code-released-and-0-day-exploits-found/?p=11769

I'm still downloading to see what actually could be vulnerable; regardless we've still taken measures and disabled public hostbill in light of current SolusVM hacks.

Looking through the "source" files and a lot of it is still encrypted. So far almost every file i've looked at. This almost appears to be a false claim. I cannot take this seriously until i see more.

cloudhopping · June 19, 2013, 03:12:02 AM

I agree - The real question however is - If someone decoded 1 file -
can they do more.

It could be a teaser - just in case I am keeping my ears to the ground in a few of the communities we all know exist for this kind of stuff - just in case.

TommyK · June 19, 2013, 09:12:34 AM

Nothing from Kris on this yet?

Patrick · June 19, 2013, 10:21:45 AM

The one file was decoded by dezender. It is a legitimate decoder web site that charges about $5 a file. So someone paid to decode the 1 file and create a "scare" is my opinion of it at this moment in time. Not saying this isn't something to be taken lightly but right now there is absolutely no evidence that i can see to the contrary

cloudhopping · June 19, 2013, 12:05:40 PM

with places like Linked removed for legal reasons

it is only a matter of time before someone writes a simple script to shoot a command and decrypt each with $0 invested.

I do not place the blame for this on Kris - ioncube needs to step up the game and ensure that these tools do not work once they are made and allow recryption (is that a word) if their crypt gets wanked...

CBlade · June 19, 2013, 12:16:49 PM

Ok, they decoded it, what version? Now this mean we will see a Open Hostbill project under GPL?

joel · January 08, 2014, 07:50:38 PM

Hi,

Is there any way to find the host bill installations on a cpanel server?

Enterprisevpssolutions · January 09, 2014, 02:26:17 AM

You have to be a little more specific on the question. Are you talking about looking for the install folder? http://wiki.hostbillapp.com/index.php?title=Installation. You need to start another post if you need help.

joel · January 10, 2014, 12:10:06 PM

Hello,

Thanks for your updates. My intention was to look for all hostbill installations under the accounts in a cPanel server and patch the new version. Need your suggestion to find out the best way to proceed.

joel · January 15, 2014, 02:52:09 PM

Hi,

Any update regarding this?.