Author Topic: Security Alert - time to d/l patch for WHMCS  (Read 1320 times)

0 Members and 2 Guests are viewing this topic.

Offline tallship

  • 614
  • 19
  • Active Participant
  • *****
  • Manager Network Services
    • Skype - tallship
    • Business Internet and Telephony since 1985.
Security Alert - time to d/l patch for WHMCS
« on: October 04, 2013, 01:21:43 AM »
========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=79427
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels


== Releases ==
The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.8
v5.1.10

== Security Issue Information ==

The resolved security issue was publicly disclosed by "localhost" on
October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed
product, to craft a SQL Injection Attack via a specific URL query parameter
against any product page that updates database information.


== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.8 (full version) - Downloadable from the WHMCS Members Area
v5.2.8 (patch only; for 5.2.7) - http://go.whmcs.com/218/v528_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.10 (patch only; for 5.1.9) - http://go.whmcs.com/226/v5110_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

========================================

WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.

Offline tallship

  • 614
  • 19
  • Active Participant
  • *****
  • Manager Network Services
    • Skype - tallship
    • Business Internet and Telephony since 1985.
Re: Security Alert - time to d/l patch for WHMCS
« Reply #1 on: October 04, 2013, 02:04:24 PM »
Wow, w/o checking google or anywhere else, this vulnerability must be a real doozy. I even got an email from resellerclub about it LOL!

Quote
Having trouble reading this mail? View as a Webpage
<http://cdn.resellerclub.com/mailers/rc/whmcs-whmcs-attack-04-10-13.html>


Website <http://www.resellerclub.com/>     Promos
<http://www.resellerclub.com/promos>     Blog <http://blog.resellerclub.com/>
Contact us <http://www.resellerclub.com/contact-us>

*Dear Reseller,*

A security vulnerability has been identified in WHMCS installations for versions
5.x because of which WHMCS has released new patches for the 5.2 and 5.1
releases. These updates provide targeted changes to address security concerns
with the WHMCS product.

*If you use WHMCS version 5.x, we strongly recommend that you install the update
<http://blog.whmcs.com/?t=79427> immediately. *

WHMCS has released the following patch versions to address the above mentioned
vulnerability:

    * v5.2.8
    * v5.1.10

You can read more about this, and download the latest patches from here
<http://blog.whmcs.com/?t=79427>.

In case you require any further information or any assistance, please feel free
to get in touch with us.

Regards,
Team ResellerClub

We would love to hear from you!

Email: whmcs@resellerclub.com <mailto:whmcs@resellerclub.com>



I expect there to be significant fallout from this one as the news continues to trickle in...
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.

Offline tallship

  • 614
  • 19
  • Active Participant
  • *****
  • Manager Network Services
    • Skype - tallship
    • Business Internet and Telephony since 1985.
Re: Security Alert - time to d/l patch for WHMCS (Yet again).
« Reply #2 on: October 19, 2013, 06:35:55 AM »
OH hey! :) Here we go again  8)

------------------------------------------------------------------------------------------------------------------------------------------------------
Mailing number one:
-------------------------------------------------------------------------------------------------------------------------------------------------------

WHMCS has released a new update to the 5.3 Beta Release. This update provides resolution on two targeted issues:
 
&nbsp;&gt; Case #3353 - Add sanitization for pre-formatted AES_Encrypt in queries
&nbsp;&gt; Case #3325 - Credit Cards not processing due to incorrect values stored in SQL statement
 
 Note: Case #3353 addresses the recent security vulnerability found in the 5.2 & 5.1 series ( http://blog.whmcs.com/?t=79427 )
 
 It is highly recommended that you upgrade your 5.3.0 installation to 5.3.1.

-------------------------------------------------------------------------------------------------------------------------------------------------------
Mailing number two:
-------------------------------------------------------------------------------------------------------------------------------------------------------

========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=80223
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels

== Releases ==

The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.9
v5.1.11

== Security Issue Information ==

This resolves the security issue that was publicly disclosed by
"localhost" on October 18th, 2013.
This also includes some additional changes to protect against potential SQL
injection vectors and additional security measures for admin account
management.

== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.9 (full version) - Downloadable from the WHMCS Members Area
v5.2.9 (patch only; for 5.2.8 ) - http://go.whmcs.com/238/v529_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.11 (patch only; for 5.1.10) - http://go.whmcs.com/234/v5111_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.
« Last Edit: October 19, 2013, 06:41:06 AM by tallship »
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.

Offline Patrick

  • 620
  • 17
  • Active Participant
  • *****
  • HBF Volunteer
Re: Security Alert - time to d/l patch for WHMCS
« Reply #3 on: October 21, 2013, 02:09:56 PM »
i believe there has been another one since this too
Patrick - Forum Rules
Insanity: doing the same thing over and over again and expecting different results. - Albert Einstein

Offline tallship

  • 614
  • 19
  • Active Participant
  • *****
  • Manager Network Services
    • Skype - tallship
    • Business Internet and Telephony since 1985.
Re: Security Alert - time to d/l patch for WHMCS
« Reply #4 on: October 21, 2013, 04:31:19 PM »
Dang! I hate it when you're right Patrick ;)  LOL!

<snip>
========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=80298
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels

== Releases ==

The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.10
v5.1.12

== Security Issue Information ==

These changes resolve security issues identified by public disclosure.  The
follow security issues have been addressed within the latest patches:
 - Missing Cross Site Request Forgery Token checks for certain operations
related to Product Bundles and Product Configuration
 - SQL Injection viable due to improper validation of expected numeric data
 - Enforce privilege boundaries for particular ticket actions

== Important Fix Information ==
These changes also include important functional fixes that were produced from
previous security patches:
 - SQL error in getting ticket departments (5.1 only)
 - Mass mail client filter excluding users set to default language
 - Admin clients list displaying multiple instances of the same record in
certain conditions
 - Prevent user input from manipulating IP Ban logic (5.2 only)


== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.10 (full version) - Downloadable from the WHMCS Members Area
v5.2.10 (patch only; for 5.2.9 ) - http://go.whmcs.com/242/5210_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.12 (patch only; for 5.1.11) - http://go.whmcs.com/246/5112_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.


========================================


WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/


</snip>
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.

Offline tallship

  • 614
  • 19
  • Active Participant
  • *****
  • Manager Network Services
    • Skype - tallship
    • Business Internet and Telephony since 1985.
Re: Security Alert - time to d/l patch for WHMCS
« Reply #5 on: October 25, 2013, 10:45:32 PM »
This one relates to the HBF post HERE

BTW, the vuls weren't discovered by the WHMCS devel team, as revealed by following the links in the post above, but the relevant items here IMO are really:

  • The WHMCS devel team is handling the exploits and shoring up those holes as quickly as can be expected.
  • We're seeing WAY too many serious security vulnerabilities in short succession recently.
The patches, release packages, and fixes came pretty quickly, but it took a day or so for WHMCS to actually send out the email alerts. Nevertheless, here's the official email announcement from the source:

========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=80298
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical & important security
impacts. Information on security ratings is available at
http://docs.whmcs.com/Security_Levels

== Releases ==

The following patch release versions of WHMCS have been published to address all
known vulnerabilities:
v5.2.12
v5.1.13

== Security Issue Information ==

These updates resolve the following issues:

> > Information disclosure via the client area as published by 'localhost'
> > HTTP Split Attack discovered by the WHMCS Development Team
> > SQL Injection Vulnerability discovered by the WHMCS Development Team
> > Privilege boundaries not being enforced on addons reported by Vlad C of
NetSec Interative
> > Download directory traversal reported privately by an individual
> > Lack of input validation in data feeds input discovered by the WHMCS
Development Team
> > Deficient Null Byte sanitization on input discovered by the WHMCS
Development Team

== Important Fix Information ==

These updates also include the following non-security related functional fixes:

> > Improved validation of monetary amounts
> > Moneris Vault Gateway compatibility update
> > Credit cards not processing under certain conditions
> > Correction to internal logic for testing Authorize.net payment gateway

== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.12 (full version) - Downloadable from the WHMCS Members Area

v5.2.12 (patch only; for 5.2.10 or 5.2.11 ) -
http://go.whmcs.com/254/5212_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.13 (patch only; for 5.1.12) - http://go.whmcs.com/250/5113_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.


========================================


WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/

« Last Edit: October 25, 2013, 10:50:29 PM by tallship »
Bradley D. Thornton - Manager Network Services, NorthTech Computer   TEL: +1.310.388.9469 (US) | +44.203.318.2755 (UK) | +61.390.088.072 (AU) | +41.43.508.05.10 (CH)
Registered Linux User #190795 - "Ask Bill why the string in [MS-DOS] function 9 is terminated by a dollar sign. Ask him, because he can't answer. Only I know that." - Dr. Gary Kildall.