========================================
WHMCS Security Advisory TSR-2013-009
WHMCS - WHMCS Security Advisory TSR-2013-009
========================================
WHMCS has released new updates for all supported versions of WHMCS. These
updates contain changes that address security concerns within the WHMCS
product.
We strongly encourage you to update your WHMCS installations as soon as
possible.
WHMCS has rated these updates as having important and critical security impacts.
Information on security ratings can be found at
Security Levels - WHMCS Documentation
==========
Releases
==========
Please update your installation to the
*one* of the following versions:
v5.1.14
v5.2.13
== Patches ==
Incremental patches can be downloaded by following the provided links below.
These patch sets contain only the files that have changed between the previous
release and this update. The previous release version that these patch sets are
designed for is clearly indicated as the first and smaller number.
Do not attempt to apply an incremental patch set to an installation that is
running a different version than the indicated version. Doing so will result in
a "Down for Maintenance" message and require you to use the full
release to complete the upgrade.
Incremental patches do not require any update process. Simply apply the changed
files to the existing WHMCS installation.
The following incremental patches are available for direct download:
5.1.13 --> 5.1.14
http://go.whmcs.com/274/v5113_increm...to_v5114_patch
MD5 Checksum: 6a6045dffbe7d43b3ff294e4acd87cfa
5.2.12 --> 5.2.13
http://go.whmcs.com/278/v5212_increm...to_v5213_patch
MD5 Checksum: 94347dd8f6776b1e5a53fb3b65ce2a16
To apply a patch set release, download the files as indicated above. Then follow
the upgrade instructions for a "Patch Set" which can be found at
Upgrading - WHMCS Documentation
== Full Release ==
A full release distribution contains all the files of a WHMCS product
installation. It can be used to perform a new install or update an existing
installation (regardless of previous version).
The latest full release can always be downloaded from our members area at
https://www.whmcs.com/members
5.2.13 - Downloadable from the WHMCS Members Area
MD5 Checksum: 2f6e51fc8a2ecd5c67dc28f87eb35cf5
To apply a full release, download the files as indicated above. Then follow the
upgrade instructions for a "Full Release Version" which can be found
at
Upgrading - WHMCS Documentation
=========================================
Important Maintenance Issue Information
=========================================
This Advisory provides resolution for the following important maintenance
issues:
Case 2989 - Downgrade orders failing when no payment due
Case 3325 - Credit card processing fails with weekly retries enabled
Case 3467 - API GetClientsAddons fails on certain conditions
Case 3471 - Unable to download ticket attachments from first ticket message
Case 3515 - Add tilde to valid character list of redirect path
Case 3528 - Updated Smarty to latest 2.6.28 release
Case 3545 - Project Management settings redirect on save fails
Case 3482 - Improve default currency logic
Case 3641 - Allow MaxMind Service Type selection
============================
Security Issue Information
============================
This Advisory provides resolution for several security issues, one of which was
publicly disclosed. Specific information regarding that issue can be found
below.
All other resolved issues were identified by the WHMCS development team and
independent researchers. There is no reason to believe that these
vulnerabilities have been made known to the public. As such, WHMCS will only
release limited information about the vulnerabilities at this time.
Once sufficient time has passed, WHMCS will release additional information about
the nature of the security issues.
== Case 3492 ==
Remove dependency on unserialize() for admin table sorting
=== Severity Level ===
Important
=== Description ===
Object Injection Attack.
An attacker, once authenticated into the admin area of the product, could
leverage user input passed to unserialize() to execute arbitrary PHP.
=== Resolution ===
Download and apply the appropriate software updates to protect against these
vulnerabilities; information about software update releases is provided in the
"Release" section of this Advisory.
NOTE: A temporary resolution was provided in blog post
WHMCS - Security Threat Notification. This post references a hook that can be deployed
to an installation. The hook nullifies specific user input, mitigating the risk
of nefarious input reaching the call to unserialize(). The caveat is table
sorting, within the admin area, will cease to function as expected. The releases
provided by this Advisory obsolete that hook. The hook can safely be removed
from any deployment after the latest updates have been applied.
== Internal Audit Issues ==
18 resolved issues were discovered by the WHMCS development team as part of an
ongoing security audit.
More information about these issues will be published at a future date.
== Private Disclosure Issues ==
Individual reports have been made to us from a variety of sources since the last
Security Advisory. Amongst these reports only 2 issues have been disclosed to
WHMCS, and confirmed as valid, which were not already discovered as part of an
ongoing security audit. We would like to thank all the individuals, researchers
and firms who reached out to us. Your efforts to ensure our awareness of
security concerns within our product are greatly appreciated.
We would like to thank Blesta for providing both of the aforementioned, resolved
issues.
More information about these issues will be published at a future date.
============================
All supported versions of WHMCS are affected by one or more of these maintenance
and security issues.
For information regarding our Long Term Support Policy, read our documentation
here:
Long Term Support - WHMCS Documentation
============================
WHMCS Limited
www.whmcs.com
- Members Area:
https://www.whmcs.com/members/
- Support:
Support - WHMCS
- Documentation:
Documentation Home - WHMCS Documentation
- Community Forums:
WHMCS Forums