========================================
WHMCS Security Advisory for 4.5, 5.0, 5.1, 5.2
http://blog.whmcs.com/?t=73290
========================================
WHMCS has released new patches for the 4.5, 5.0, 5.1 and 5.2 minor releases.
These updates provide targeted changes to address security concerns with the
WHMCS product. You are highly encouraged to update immediately.
WHMCS has rated these updates as including critical or important security
impacts. Information on security ratings is available at
http://docs.whmcs.com/Security_Levels
++++++++++++
Releases
++++++++++++
The following full-release versions of WHMCS have been published and address all
known vulnerabilities:
5.2.5
The latest public releases of WHMCS are available inside our member's area at
https://www.whmcs.com/members/clientarea.php
++++++++++++++++++++++++++++++++++++
Security Issue Information
++++++++++++++++++++++++++++++++++++
The Targeted Security Release and Patch updates for 4.5, 5.0, and 5.1 resolve an
issue of unsanitized information being used in a SQL query. Using a crafted URL,
an attacker could perform an SQL Injection.
The Targeted Security Release and Patch update for 5.2 addresses a security
enhancement regression discovered in 5.2.3 and 5.2.4. This regression is not
related to the itemized vulnerability mentioned for 4.5, 5.0, and 5.1. The
regression was identified internally and is not a candidate for public
disclosure.
++++++++++++
Mitigation
++++++++++++
------------------
WHMCS Version 4.5
------------------
Download and apply the appropriate patch files to protect against these
vulnerabilities.
Patch files for affected version of the 4.x series is located on the WHMCS site
as itemized below.
> v4.5.5 (patch only) -
http://www.whmcs.com/download/302/v455patch
To apply the patch, simply download the appropriate patch file specific to the
WHMCS version you are running, extract the contents, and upload the files from
the /whmcs/ folder to your installation.
No install or upgrade process is required.
------------------
WHMCS Version 5.x
------------------
Download and apply the appropriate full-version or patch of WHMCS to protect
against these vulnerabilities.
Patch files for affected version 5.x are located on the WHMCS site as itemized
below. A full-version of 5.2.5 is located in the WHMCS member's area download
section, under your license details.
> v5.0.6 (patch only) -
http://www.whmcs.com/download/306/v506patch
> v5.1.7 (patch only) -
http://www.whmcs.com/download/310/v517patch
> v5.2.5 (patch only) -
http://www.whmcs.com/download/314/v525patch
> v5.2.5 (full-version) - Available in the members area
When updating from v5.0.5, v5.1.6, or v5.2.4 you can use the patch file and the
upgrade process is not required. Simply download the appropriate file specific
to the WHMCS version you are running, extract the contents, and upload the files
from the /whmcs/ folder to your installation.
If running any other version you should apply the full-version, simply download
the file from our member's area and then follow the regular upgrade instructions
which can be found at
http://docs.whmcs.com/Upgrading
================================================== ==============================
WHMCS Limited
www.whmcs.com
- Support:
http://support.whmcs.com/
- Documentation:
http://docs.whmcs.com/
- Members Area:
http://www.whmcs.com/members/