WHMCS Security Advisory TSR-2014-0003
WHMCS has released new updates for all supported versions of WHMCS. These updates include changes that address security concerns within the WHMCS product.
WHMCS has rated these updates as having a moderate to important security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
Releases
Please update your installation to the latest version 5.3.9.
This update includes significant changes to IP detection logic in conjunction with the use of proxies. If using services such as CloudFlare, or any other similar public or private proxy service, to proxy traffic to your WHMCS installation, you will need to perform additional steps post upgrading in order to keep IP detection functioning correctly. If in any doubt, we urge you to read the Release Notes here or contact our support team for further information prior to updating.
The update includes a significant update to the low-level cryptographic routines used for admin authentication. These changes will affect any 3rd-party integration which directly accesses the admin user database table; should not have an observable impact on installations otherwise. Further details can be found in the Release Notes here.
The update brings End Of Life for the Ensim server module as well as the E-Gold and PayOffline gateway modules. Please read the Release Noes here if you activity using those modules.
UPDATE 5:15pm
Post release of 5.3.9 an issue was identified related to admins who had Two-Factor Authentication enabled prior to upgrading to 5.3.9. We apologize for the inconvenience this has caused and have provided a Hot-Fix here that should be applied after applying the 5.3.9 core update.
Patches – What is a Patch?
Incremental patches can be downloaded by following the links below.
These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.
MD5 Checksum: a019f6e67c81ecb9087cfba22a0a6d84
Need a patch for an older version? Visit our downloads page: http://download.whmcs.com/
To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set
Full Release – What is a Full Release?
A full release distribution contains all the files of a WHMCS product installation. It can be used to both perform a new installation or update an existing one (regardless of previous version).
MD5 Checksum: ba03da59cc51fbedc6c62d993baa7617
To apply a full release, download the release from the URL above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version
Security Issue Information
The security changes in these releases address 15 issues, all of which were reported via the security bounty program, or discovered internally by the WHMCS Development Team. The issues addressed are rated as having Moderate to Important security impacts.
Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issues.
Maintenance Issue Information
This release also provides resolution for a number of maintenance issues. For full details please refer to the changelog:
All published and supported versions of WHMCS prior to 5.3.8 are affected by one or more of these maintenance and security issues.