WHMCS Security Advisory TSR-2013-009
WHMCS has released new updates for all supported versions of WHMCS. These updates contain changes that address security concerns within the WHMCS product.
We strongly encourage you to update your WHMCS installations as soon as possible.
WHMCS has rated these updates as having important and critical security impacts. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
Releases
Please update your installation to the one of the following versions:
v5.1.14
v5.2.13
Patches – What is a Patch?
Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.
Do not attempt to apply an incremental patch set to an installation that is running a different version than the indicated version. Doing so will result in a “Down for Maintenance” message and require you to use the full release to complete the upgrade.
Incremental patches do not require any update process. Simply apply the changed files to the existing WHMCS installation.
The following incremental patches are available for direct download:
5.1.13 –> 5.1.14 http://go.whmcs.com/274/v5113_incremental_to_v5114_patch
MD5 Checksum: 6a6045dffbe7d43b3ff294e4acd87cfa
5.2.12 –> 5.2.13 http://go.whmcs.com/278/v5212_incremental_to_v5213_patch
MD5 Checksum: 94347dd8f6776b1e5a53fb3b65ce2a16
To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set
Full Release – What is a Full Release?
A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).
The latest full release can always be downloaded from our members area at https://www.whmcs.com/members
5.2.13 – Downloadable from the WHMCS Members Area
MD5 Checksum: 2f6e51fc8a2ecd5c67dc28f87eb35cf5
To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version
Important Maintenance Issue Information
This Advisory provides resolution for the following important maintenance issues:
Case 2989 – Downgrade orders failing when no payment due
Case 3325 – Credit card processing fails with weekly retries enabled
Case 3467 – API GetClientsAddons fails on certain conditions
Case 3471 – Unable to download ticket attachments from first ticket message
Case 3515 – Add tilde to valid character list of redirect path
Case 3528 – Updated Smarty to latest 2.6.28 release
Case 3545 – Project Management settings redirect on save fails
Case 3482 – Improve default currency logic
Case 3641 – Allow MaxMind Service Type selection
Security Issue Information
This Advisory provides resolution for several security issues, one of which was publicly disclosed. Specific information regarding that issue can be found below.
All other resolved issues were identified by the WHMCS development team and independent researchers. There is no reason to believe that these vulnerabilities have been made known to the public. As such, WHMCS will only release limited information about the vulnerabilities at this time.
Once sufficient time has passed, WHMCS will release additional information about the nature of the security issues.
Case 3492
Remove dependency on unserialize() for admin table sorting
=== Severity Level ===
Important
=== Description ===
Object Injection Attack.
An attacker, once authenticated into the admin area of the product, could leverage user input passed to unserialize() to execute arbitrary PHP.
=== Resolution ===
Download and apply the appropriate software updates to protect against these vulnerabilities; information about software update releases is provided in the “Release” section of this Advisory.
NOTE: A temporary resolution was provided in blog post http://blog.whmcs.com/?t=81138. This post references a hook that can be deployed to an installation. The hook nullifies specific user input, mitigating the risk of nefarious input reaching the call to unserialize(). The caveat is table sorting, within the admin area, will cease to function as expected. The releases provided by this Advisory obsolete that hook. The hook can safely be removed from any deployment after the latest updates have been applied.
Internal Audit Issues
18 resolved issues were discovered by the WHMCS development team as part of an ongoing security audit.
More information about these issues will be published at a future date.
Private Disclosure Issues
Individual reports have been made to us from a variety of sources since the last Security Advisory. Amongst these reports only 2 issues have been disclosed to WHMCS, and confirmed as valid, which were not already discovered as part of an ongoing security audit. We would like to thank all the individuals, researchers and firms who reached out to us. Your efforts to ensure our awareness of security concerns within our product are greatly appreciated.
We would like to thank Blesta for providing both of the aforementioned, resolved issues.
More information about these issues will be published at a future date.
All supported versions of WHMCS are affected by one or more of these maintenance and security issues.
For information regarding our Long Term Support Policy, read our documentation here:
http://docs.whmcs.com/Long_Term_Support