1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

WHMCS 5.2.10 critical update

Discussion in 'Web Hosting' started by iwf-jacob, Oct 20, 2013.

  1. #1
    For those of you not aware... http://blog.whmcs.com/?t=80298

    == Security Issue Information ==


    These changes resolve security issues identified by public disclosure. The follow security issues have been addressed within the latest patches:

    - Missing Cross Site Request Forgery Token checks for certain operations related to Product Bundles and Product Configuration

    - SQL Injection viable due to improper validation of expected numeric data

    - Enforce privilege boundaries for particular ticket actions
    SEMrush

    == Important Fix Information ==

    These changes also include important functional fixes that were produced from previous security patches:

    - SQL error in getting ticket departments (5.1 only)

    - Mass mail client filter excluding users set to default language

    - Admin clients list displaying multiple instances of the same record in certain conditions

    - Prevent user input from manipulating IP Ban logic (5.2 only)
     
    iwf-jacob, Oct 20, 2013 IP
    SEMrush
  2. WSWD

    WSWD Well-Known Member

    Messages:
    1,420
    Likes Received:
    65
    Best Answers:
    1
    Trophy Points:
    175
    #2
    What is that...3 this month? Unbelievable. Time for them to get their act together.
     
    WSWD, Oct 20, 2013 IP
  3. Quiver

    Quiver Active Member

    Messages:
    137
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    95
    #3
    There have been a lot of updates in the last month.
    I think it's time they review their script, thoroughly.
     
    Quiver, Oct 20, 2013 IP
  4. WSWD

    WSWD Well-Known Member

    Messages:
    1,420
    Likes Received:
    65
    Best Answers:
    1
    Trophy Points:
    175
    #4
    Yep, time for a nice external audit like SolusVM did. The things they are missing is just basic PHP too, which is scary.
     
    WSWD, Oct 21, 2013 IP
  5. iwf-jacob

    iwf-jacob Well-Known Member

    Messages:
    222
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    110
    #5
    While I definitely think that a nice external security audit would be great for WHMCS, I also think it is to their credit how quickly they have responded to these public exploits -- AKA within a day. That shows (to me at least) that they are committed to standing behind their product.
     
    iwf-jacob, Oct 21, 2013 IP
  6. MyBB Hoster

    MyBB Hoster Active Member

    Messages:
    64
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    78
    #6
    The last vulnerability was actually something WHMCS found on their own. The vulnerability was not reported or publicly released by localhost like the other exploits. So that tells you they are already viewing the code and working to make it better. I hope lol.
     
    MyBB Hoster, Oct 21, 2013 IP
  7. WSWD

    WSWD Well-Known Member

    Messages:
    1,420
    Likes Received:
    65
    Best Answers:
    1
    Trophy Points:
    175
    #7
    That actually isn't true. The latest one was released publically. Not sure who released it, but we knew about the exploit over a day before WHMCS released the patch.
     
    WSWD, Oct 21, 2013 IP