WHMCS Security Advisory for v5.2.10
========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=80298
========================================
WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.
WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels
== Releases ==
The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.10
v5.1.12
== Security Issue Information ==
These changes resolve security issues identified by public disclosure. The
follow security issues have been addressed within the latest patches:
– Missing Cross Site Request Forgery Token checks for certain operations
related to Product Bundles and Product Configuration
– SQL Injection viable due to improper validation of expected numeric data
– Enforce privilege boundaries for particular ticket actions
== Important Fix Information ==
These changes also include important functional fixes that were produced from
previous security patches:
– SQL error in getting ticket departments (5.1 only)
– Mass mail client filter excluding users set to default language
– Admin clients list displaying multiple instances of the same record in
certain conditions
– Prevent user input from manipulating IP Ban logic (5.2 only)
== Mitigation ==
=== WHMCS Version 5.2 ===
Download and apply the appropriate patch files to protect against these
vulnerabilities.
Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.
[B]v5.2.10 (patch only; for 5.2.9 ) – [/B] [url]http://go.whmcs.com/242/5210_incremental [/url]
To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.
=== WHMCS Version 5.1 ===
Download and apply the appropriate patch files to protect against these
vulnerabilities.
Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.
To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.
========================================