WHMCS Breach - some 3.5.1 downloads were compromised [MERGED] - Knowledgebase

Portal Home > Knowledgebase > Articles Database > WHMCS Breach - some 3.5.1 downloads were compromised [MERGED]

WHMCS Breach - some 3.5.1 downloads were compromised [MERGED]

Posted by David, 01-08-2008, 12:13 PM
I just received a fairly scary WHMCS notice, you can view the details here: <> What are your thoughts on the entire situation? Personally, I'm a tad fearful (luckily, I hadn't upgraded to the next version yet as I was letting the other users play beta-testers) given the fact that there wasn't any versioning / modification 'notification' system in place on their end. I'm fearing further updates. In essence, my concern is that the WHMCS development team isn't entirely particular how they were backdoored or to what scale they were backdoored. Are their own billing systems & servers hosted in the same environment, were our billing details also released? etc. I want to know the scale of the attack. Last edited by bear; 01-08-2008 at 01:14 PM.
Posted by jhold, 01-08-2008, 12:28 PM
Do they have any idea when this occured? I've just checked my install and none of the files listed exist (thank god).
Posted by whmcsguru, 01-08-2008, 12:29 PM
Just got this in the mail from Matt, re-posting it here in case his mail didn't get through to anyone: In short: If you updated to 3.5.1 before today, you'll probably want to remove the affected files and update again! Last edited by bear; 01-08-2008 at 01:03 PM.
Posted by domainworldaccess, 01-08-2008, 12:40 PM
Just in: Dear WHMCS User, It has been brought to our attention that at some time during the days following the recent release of WHMCS V3.5.1, an unauthorised user managed to gain access to our server through an Apache exploit and was able to add a number of files into the WHMCS V3.5.1 Full Version download available from our client area. The files added were shell scripts which could potentially be used to exploit the server should the functions used not be blocked. There is a chance that you may have downloaded V3.5.1 at the time when the files were present and so may have inadvertently uploaded them to your server. As a precaution we are asking all customers to check for, and remove, the following files if they are found to be present in your WHMCS folders: <> NOTE: If you used our professional upgrade or installation services to have WHMCS installed or upgraded by us then you will NOT have been affected. We have taken action to ensure a breach like this does not occur again and apologize for any inconvenience caused. We would also like to point out that this was not a security problem with WHMCS. I would ask that if you have any concerns or questions, please email support@whmcs.com Regards, Matt Founder / Developer WHMCS Ltd www.whmcs.com Last edited by bear; 01-08-2008 at 01:04 PM.
Posted by domainworldaccess, 01-08-2008, 12:54 PM
Unless they did the update for you.
Posted by bear, 01-08-2008, 01:06 PM
File list removed. Please don't post the actual file list, since it may cause those affected to be found and attacked using them. Carry on.
Posted by UH-Bobby, 01-08-2008, 01:07 PM
I just upgraded last evening, this bothers me as well. Edit: My upgrade didn't contain those files either, so it looks like I'm safe as well. Like David, I would like to know how far this attack went, and what kind of scale it's on. I would especially like to know about my personal information. Last edited by UH-Bobby; 01-08-2008 at 01:14 PM.
Posted by Steven, 01-08-2008, 01:14 PM
Their claims of it being an apache exploit is totally bogus. In order for it to be an apache exploit it would have to: 1.) be a REALLLY old version. 2.) a private exploit and we are all vulnerable to it. Its likely they are just passing the buck on this one. What I hope is they didn't just assume it was an exploit in apache. According to netstat, in November it was 1.3.39 is the latest version in that branch and is secure. Their current banner: Overall it was not an old version of apache. It was just a different branch.
Posted by whmcsguru, 01-08-2008, 01:21 PM
Unless you're familliar with the situation, Steven, then you shouldn't be posting stuff like this. It's entirely possible this is an 'apache', or 'php' exploit, as well as other things. You can bet they are. Last edited by whmcsguru; 01-08-2008 at 01:25 PM.
Posted by Steven, 01-08-2008, 01:22 PM
Show me a exploit that would cause this. Also they said apache NOT php. Read it, before you add things to it. Are we really going to need to get into a war again? Just because you feel you need to defend your favorite billing system?
Posted by domainworldaccess, 01-08-2008, 01:24 PM
If I had to guess, based on the location of the files and apparent familiarity with their code, particularly considering it is encoded via IonCube, I would say this is an inside job. If not, why not identify the exploit? This smells more like sabotage than a hack, but I'm a conspiracy freak so take that opinion with a grain of salt! HA!
Posted by PH-Kev, 01-08-2008, 01:25 PM
It was most probable a PHP exploit, You would think matt would have thought about that one....
Posted by Steven, 01-08-2008, 01:25 PM
I would agree with you.
Posted by ub3r, 01-08-2008, 01:26 PM
I think they're just trying to pass the blame, and the only thing that was exploited was their horrible software. The only thing apache or php did was process the task the way their script instructed them to.
Posted by David, 01-08-2008, 01:26 PM
Just prior to Christmas, WHMCS was decrypted and just about everyone on the internet is auditing its' code now, except legitimate clients.
Posted by ub3r, 01-08-2008, 01:29 PM
That's one of the great things about nulled software, all the poor coding gets thrown right out into public, and the author has to face the consequences of their own incompetence and laziness.
Posted by Steven, 01-08-2008, 01:31 PM
With the code open to the world i would not be surprised if an exploit was found that caused this. I doubt they would code an entirely new ordering system for their site.
Posted by whmcsguru, 01-08-2008, 01:32 PM
Speculation, always amusing from individuals who don't know the full story No war. I just happen to know a few (note: a few) of the details, which, out of respect for Matt I'm not going to post (note: I was in no way involved with this, it's not what I do ). Keep in mind that most non-technical people will lump apache/php into the same mess. Oh no, even legitimate clients are. However, that specific 'decryption' is to be trusted about as far as it can be thrown, because there were numerous backdoors thrown into the decryption itself. It's always amusing to see speculation from armchair quarterbacks who have no clue what actually is going on, or what happened, trying the 'conspiracy theories' out. Unfortunately, this is what you get on public forums such as this. If you don't know what's going on, then it's really best if you keep speculation to yourself.
Posted by @Matt, 01-08-2008, 01:33 PM
I just checked on my end and i'm fine but I have to agree this is a pretty scary situation. I am now going to check and make sure my clients have not been corrupted with these files.
Posted by David, 01-08-2008, 01:35 PM
Linux-tech, Well, until the speculation is put to rest by FACTS rather than blatant lies from the source, all we have left is speculation. To say this is the result of an apache exploit is well beyond reality, you should know that.
Posted by Steven, 01-08-2008, 01:37 PM
To me that sounds like they are either hiding something, or they are lying to us. Both of which are equally bad.
Posted by whmcsguru, 01-08-2008, 01:40 PM
Or that you're reading far too much into what is said, which is the case here. Matt hasn't 'lied' to anyone, nor 'hidden' anything from anyone here Or a mis-statement. Like I said, it's quite easy to lump apache/php into one, and easily done, which is probably what Matt's done here. There have been no lies here, no deceit, no mis-information at all, from what I know of the situation Last edited by whmcsguru; 01-08-2008 at 01:47 PM.
Posted by ub3r, 01-08-2008, 01:41 PM
Ok tom, can you tell us what the full story is? Are they a management customer of yours or something? Are you sticking up for them because you didn't proactivly manage their stuff, and it resulted in this? Please, give us the full story if you have it.
Posted by Serve By Design LLC, 01-08-2008, 01:45 PM
This is unfortunate. It seemed like good software. With all the allegations flying around here, it would be nice to here from Matt on this. Stuff like this is why companies vanish into the internet abyss.
Posted by whmcsguru, 01-08-2008, 01:45 PM
No, I can't go into the 'full story', and even if I knew it, I wouldn't. I do know (some of) what went on, and I'm not even going to go into THAT, because Matt has not chosen to release that information. Nope See above: Even if I did have it, it's not my place to give out any more information than Matt has already done. If you want the full story, hey, ask Matt. Don't go in 'demanding' it, because he doesn't owe anyone anything, except his clients
Posted by Steven, 01-08-2008, 01:46 PM
I have every right to demand it, I hold a license to whmcs which makes me a client. Reading above you didn't give anything except for hints.
Posted by PH-Kev, 01-08-2008, 01:49 PM
Tom, You know nothing, its being controlled by Matt and 'bear' That much i know
Posted by ub3r, 01-08-2008, 01:55 PM
OK, if you can't give us the full story, then i'm just going to go with logic. Oh, and the clients of whmcs' client who could have had their accounts compromised, and let's not forget the clients of those clients whose sensitive data could have been stored in account databases, which would have been opened up if the whmcs customer had configured whmcs with 'automatic account creation' by the root user. Hey, i wonder how that data is stored in the whmcs config anyway. Anybody have that info? It'd probably have to be stored in plain text for automatic authentication, unless they're salting the logins via their own methods, but that'd be easy to break down now that it's been released to the public.
Posted by bear, 01-08-2008, 01:57 PM
Don't falsely accuse me of anything here. All I've done is remove the filenames from public view to help prevent people running WHMCS that might have these files from being attacked. I felt that was reasonable seeing as the few times someone has inadvertantly posted a login here, within minutes the account was screwed with.
Posted by jhold, 01-08-2008, 01:57 PM
Linux-tech, do you hold a WHMCS license? Are you in anyway a customer?
Posted by UH-Bobby, 01-08-2008, 01:59 PM
I think he meant the "bear" on the WHMCS forums, I don't know if you and that bear are the same, but I think he was referring to the "bear" on WHMCS forums.
Posted by ub3r, 01-08-2008, 02:01 PM
What's it even matter? Anyone with the interest or knowledge required to exploit those holes is going to be able to figure out how to exploit the vulnerabilities without reading a post on wht. Did anyone ask you to remove the file path info?
Posted by whmcsguru, 01-08-2008, 02:06 PM
Don't be so ignorant. If I know nothing, I would post nothing, unlike most of the yahoos here who love speculation, conjecture, and false accusations (including yourself apparently). I have nothing to 'gain' by defending what Matt said (or trying to explain it to a mob of accusatory individuals). Matt, yes, that's his job. Bear, while I disagree (fully) with his methods was just doing his job as a mod here. He feels that it's an exploit that can be used to gain access, and it is, under particular conditions, but the filenames still should be posted so they can be removed immediately That doesn't even warrant an answer, as just a bit of research would tell you this. More speculation and conjecture, then again, from you, not too surprising. You do love your drama, don't you ? No, you're going to go with speculation and conjecture, despite reputable individuals stating that Matt is NOT lying here. Mis statements, I'll give him that (apache is not php, but then again, it's easy for the non tech person to lump the two), but NOT lying.
Posted by PipeTen, 01-08-2008, 02:07 PM
Quote: > Are you sticking up for them because you didn't proactivly manage their stuff, and it resulted in this? I'm confused, who manages this server that got compromised?
Posted by whmcsguru, 01-08-2008, 02:09 PM
That would be something that would be nunya , though you could always ask Matt nicely, he might tell you.
Posted by PH-Kev, 01-08-2008, 02:11 PM
Sorry bear, unless you are 'bear' from the WHMCS forums... i did not mean you, just coincidence
Posted by ZoneServ.com, 01-08-2008, 02:18 PM
Hey guys, From my experience Matt is a reliable guy, not only that, he is very kind and working with him was really a pleasure. I am not saying this is OK, I am saying there must be an explanation as to why this happened. Also, I would like to hear more about WHMCS being decrypted, when did it happen, how and why?
Posted by PipeTen, 01-08-2008, 02:20 PM
I hope so, whoever it was needs to be hung, drawn and quartered
Posted by whmcsguru, 01-08-2008, 02:24 PM
Agreed. I've had my differences of opinion with Matt (still do with a few things ), and we've had words, but he's always been reasonable, even when I've been slightly unreasonable (ok, at times more than slightly ;0). When? mid-late december How? There are a few (note a few) individuals who claim to be able to decrypt ion Why? A challenge was put out to do it. Demand was there, the demand was met. As I said before, the 'decrypted' stuff was loaded down with backdoors itself (at least one of the versions was). Matt's been made aware of the situation and is combatting the links every chance he can. Why does someone do something like this? Because they don't want to pay someone for software they use. Realistically, that's the ONLY reason. Some will do it to 'audit' code, or to place backdoors in, but for the most part, it's because people are too cheap to pay the developer what his (or her) time is worth.
Posted by jhold, 01-08-2008, 02:25 PM
An answer would have been nice. We don't all have the time to go snooping around other's websites just to see which software they use.
Posted by ub3r, 01-08-2008, 02:27 PM
OK, let me break this down for you. 1) John is too poor for modernbill finds whmcs with a cheap price tag. He proceeds to buy it, set it up with automatic account creation under the 'root' user, and starts his hosting company. 2) Kevin signs up for shared hosting for his online store, where he uses some terrible software that stores customer records in a mysql database with absolutely no type of encryption. 3) John updates his WHMCS installation with all that c99shell goodness, 4) Marcus the hacker finds john's WHMCS c99shell files, and happens to also have the whmcs source code handy in his /home/h4x0r/.ownage/lol/whmcs351/ directory. 5) Marcus proceeds to find the whmcs database login, logs into phpmyadmin or uses standard mysql authentication to access the whmcs database, find root login for the server john had previously entered for automatic account creation. 6) Marcus proceeds to login to that server as root, where he finds kevin's database full of customer records, and then proceeds to take all that information, and sell it to all of his undernet friends. 7) Tom finally understands what logic is Stop being so caddy, it's obvious you're the person who manages it. Last edited by ub3r; 01-08-2008 at 02:34 PM.
Posted by ZoneServ.com, 01-08-2008, 02:29 PM
Where do you get such information? I would like to be up-to-date myself about such incidents that can affect my business.
Posted by whmcsguru, 01-08-2008, 02:46 PM
Once again, incorrect. I've said it twice now. Don't call me a liar again. I DO carry on the occasional professional conversation with Matt from time to time, but I do not 'manage his servers'. Once again, your entire theory is speculatory, assuming you know more about the details (or the operation of WHMCS) than you actually do. Information is encrypted inside of the database, so you'll get a bunch of gibberish even if you COULD get into it. Server passwords? You betcha, they're encrypted. Those of us that KNOW don't even use passwords, but 'keys' to create accounts. Can those be decrypted? Of course, they should be able to be. Do people know how to 'decrypt' the pass? If they're playing by the rules, there's only a handful that do. If they're NOT playing by the rules (ie: they've ignored warnings about these unencrypted releases containing trojans, and downloaded software), then you bet, they do, IF they know where to look for the right function All in all, a pretty lengthy process with minimal chance of happening, ONLY if you know what you're doing, and ONLY if you have the right information. Possible? Of course, but then again, so is anything else. In the end: Speculation, nothing more. Of course, with the 'decoding' of these files, it would be strongly suggested that individuals rename key functions for future releases, just to get back on track with that 'minimal use' standpoint, but that would involve a good deal of recoding . Sorry, not going to reveal sources. Not only would it be against rules here, but it would involve those sites being shut down immediately, I'm sure. I'm a member of a few 'underground' sites that post stuff like this, and I go through frequently looking for software I use, then make sure the designer(s) are made aware of the fact that these exist. Last edited by whmcsguru; 01-08-2008 at 02:50 PM.
Posted by Steven, 01-08-2008, 02:50 PM
By obtaining the source code they would get the decryption scheme as they have to be decrypted to be useful even in whmcs.
Posted by whmcsguru, 01-08-2008, 02:52 PM
Correct, if they knew where to look. Not everyone would though.
Posted by Steven, 01-08-2008, 02:53 PM
I don't have the source in front of me but im sure they could easily find the file containing what they want using a couple 'grep's
Posted by bear, 01-08-2008, 02:53 PM
Well, that is me as well. I help on that forum, and that's the extent of my association other than also being a customer. I have no knowledge or access to any of the inner workings, help desk, customer records, server or source code, and no idea how they got access other than what Matt said here. Privately I've been told by someone here I was overzealous by removing the file list, and that the thread was useless without it. I disagree. The warning is still being seen, and instead of some nefarious "kiddie" having more information on where and how to possibly find hacking tools in WHT member's servers, it was removed, and WHMCS clients can get the info from the script's author. For the record, I'd do it again if it came up because I felt it was protecting members in some small way, even if only temporarily.
Posted by Steven, 01-08-2008, 03:01 PM
That was not private and I know which user said it. I however agree with your decision.
Posted by whmcsguru, 01-08-2008, 03:41 PM
Not denying that at all, although the average user (even one downloading an unencrypted version of the source) won't go that far, or know how to do it. The ones to worry about are the ones that actually did the decrypting and put the trojans in the source to begin with. I'm not saying it's not possible, or that functions or algorythms shouldn't be changed, in fact, because of this I'd highly suggest that Matt do this, but this isn't really the thread for that discussion. This is the thread for discussion of the latest breach. The two are not one and the same, but two separate incidents. Incident A: Code was obtained and decoded, most probably obtained from a valid client download. Don't say it's not possible, because I've seen it done with both ion and Zend. Incident B: Server was compromised (unauthorized access) and malicious files injected. This could be from any number of sources and methods, although I'm pretty sure Matt knows who it was and how they got in. The decoded files are from 3.5.0, not 3.5.1, the unauthorized access took place sometime after Dec. 12th, judging from my own download of 3.5 which is still sitting on compressed on my server and does not contain these files. What would be good would be to do would be to pinpoint exactly when this intrusion occurred so that individuals who downloaded before (or after) X date would know that their stuff is safe.
Posted by Steven, 01-08-2008, 03:49 PM
I took a glance at the code and found how everything is encrypted. We also did some checking with 'real versions' using: Guess what Real versions and this cracked version all use the same variable. Soooo all they need is a tiny php script to include the FILE_I_OBSCURED.php and run the decrypt function with a simple sql query and we get root passwords. Sad thing is, he cannot change the variable without breaking everyones whmcs and requiring them to reinput all of their servers info. Last edited by Steven; 01-08-2008 at 03:58 PM.
Posted by Steven, 01-08-2008, 04:11 PM
I also wanted to say, even if the variable was not the same, a simple 4 line php script and a mysql query would yield you what you want. It could potentially be exploited through another remote include exploit elsewhere.
Posted by whmcsguru, 01-08-2008, 04:17 PM
Actually he can. It involves changing function names (which should be done anyways), changing keys (again, should be done), and forcing the removal of upgrade files, but it can be done. Step A: put the old function, old key into the upgrade file. Keep the same name. Step B: On upgrade, force the update of passwords, keys, credit cards, etc to NEW function, NEW key, then enter ssome random information into db to prevent it from happening again (would corrupt previous info). Step C: force removal of upgrade scripts before access is restored. This way you've got the new function being used, new key being used, etc. Of course, this would require a good bit of re-coding, changing variables around, but still, very very possible to do. The keys, at minimum, must be changed, as well as the functions to call and grab the keys, as well as the required steps to grab passwords. This is going well above and beyond the scope of what this thread is about, however, let's try to keep on track here, rather than splitting off into 100s of different directions.
Posted by domainworldaccess, 01-08-2008, 04:42 PM
After reading this and many of your posts here it is clear to me that you have some sort of vested interest in WHMCS. If you do not manage their system, please just disclose clearly the nature of your relationship. You are being very misleading. Regarding the rest of your post, why would people take the time to create the doors if they did not intend to take the time to walk through them. Obscurity is not security. I don't think you have done yourself or WHMCS any favors today, but that is just my opinion, conspiracy theories and all.
Posted by whmcsguru, 01-08-2008, 05:05 PM
My interests in WHMCS are the same as anyone else's , in bettering the system. That would be none of your business. Never once have I been misleading. You may have not liked what was said, but never, ever have I been 'misleading'. Never have I not spoken the truth, never once have I lied, and no I am not responsible for the day to day management and maintainance of WHMCS servers. Just because I will not go into exact details of my day to day dealings with other individuals does not make me 'misleading'. Please actually read through posts before following up here. I've already stated that there IS an issue with the code being distributed. This is a no-brainer, but it does not belong here in the thread. The two topics are only loosely related, and that discussion does not belong in this thread. The 'average user' doesn't know how to obtain the functions to grab passwords, or how to 'walk through the doors'. The 'average user' doesn't care about anything but saving a small bit of cash because they're too cheap to pay for proper billing systems The 'average user' is the one that has ignored repeated warning about trojans, backdoors, virii, etc, which have been deliberately placed in this decoded version by those responsible for the decryption (which they are there and are proven) and downloaded it anyways Fully agreed, but that has little place if any in this discussion. Just because you don't like that someone says 'you're not getting any more info' doesn't mean that you have the right to accuse them of being obscure, etc. It means just what they say. If you want to read more into it, that's your own fault, not anyone else's Neither have you, but let's actually compare the two shall we? You: Start up and encourage theories, rumors, etc, with no knowledge of software, or situations. Me: Attempt to quash said rumors, etc, with some knowledge of software and situations. Who's done more 'harm' for WHMCS? I think the answer there is clear. Trying to startup and encourage theories, rumours, conjecture is not HELPING the situation at all. Trying to debunk those, most definitely is.
Posted by ub3r, 01-08-2008, 05:12 PM
It doesn't matter if they change the function names, encryption keys, development server, and all the rest. Unless he codes his stuff in a completely secure manner, it's just going to get hacked & nulled, and the vicious circle will continue on and on until he finally corrects all of his original mistakes. This has helped though. Whmcs has gotten a hint of what happens when they use ioncube to hide their bad coding.
Posted by whmcsguru, 01-08-2008, 05:20 PM
Code getting 'hacked' has nothing to do with 'coding in a completely secure manner', it has everything to do with demand, with people being too cheap to pay for software that they should be. I'm hardly saying that WHMCS is the most secure, but, again, not the thread for this. The alerts this morning aren't a result of 'insecure programming', they are a result of someone gaining unauthorized access, and two separate issues. Bull Again, this has nothing to do with 'bad coding'. This has everything to do with someone getting into the server, and there are plenty of ways to get into a server, without even relying on code. Again, I know a little about what happened (a very little), and this wasn't 'code' related.
Posted by domainworldaccess, 01-08-2008, 05:24 PM
I hope that is correct. Time will tell. You need to take a long slow read back through this entire thread. Your shift has been subtle to be sure, but there is one. You and I will just have to disagree about what "misleading" means... Your follow ups were not visible while I was typing - I apologize. That said, the average users do not concern me. They are my (our?) customers. It is the malicious ones I am concerned about. Stop telling us what average users can and can't do when it is not them we are concerned about... You missed my point here. I was referring to your poor attempt at reassurance with this remark: Thanks for the help? We disagree again. You have come out with a poor attempt to patch a botched communication detailing a massive hole in a system which contains root passwords to perhaps thousands of servers all over the world. You have failed to give any credible evidence that what you state is true - we are supposed to swallow what you say because you have posted here for years? Save it. Do yourself and us and WHMCS a favor and stop playing games. I don't know how this happened. All I ever said was that it sounded like an inside job. I still think it does. What I can say failry conclusively (and a statement with which you agree) is that the communication about it being an Apacha exploit is false. Had that not been the case this would have been a very, very short thread. When credibility is eroded at any point, one always looks backward to see where the real breach occured - hence the conspiracy theories... "If they are telling stories about this (and you know there is a "story here") what is the real story??? You have shifted your statements to lead us all to believe it was php that was the source of the expolit, WITHOUT stating what bug number or exploit could have resulted in this type of compromise. I would think that that information is nearly as important as fixing WHMCS, no? All I have ever asked for is information, and that will come. My feeling is that it will come sooner rather than later now, and no thanks to you.
Posted by whmcsguru, 01-08-2008, 05:51 PM
Actually, it's not as 'massive' as you'd think, at least if he did it properly. Yes, the password can be obtained (as it should be able to be), but if he put proper protection in there, it's fine. Of course, knowing more of the 'variables' than most do (which I've been forbidden by Matt to redistribute), and a few of the functions (again forbidden), I'd say that a strong re-thinking of functions, variables, and the likely names of them is in order, but what do I know, it's not my code to say yay or nay to! How did I get all the 'variables' and 'functions'? I did what anyone can do, opened up an email and asked. Of course, one should have to prove they're developing on something for this information (and IIRC I did, it's been a while), but I simply opened up an email and asked. Ask yourself this: Why would a reputable member of WHT put their reputation on the line ? Why would they say 'I know a bit more, and the theories are incorrect', if they in fact were correct? If you're really ignorant enough to believe that I'm going to put my own business, my own reputation on the line here when I DON'T have a clue what I'm talking about, then you need to re-evaluate your own situation. They're NOT coming to get you, no matter what you believe When you stop spreading lies and conspiracy theories, then I shall stop shooting them down I'm 90% sure I do (though I could be wrong), based on conversations with Matt over the past few days, and it was NOT an inside job. IF he chooses to reveal more, then by all means, he will. However, he has done his job and alerted his customers of the damage, that is ALL that he is required to do. Wrong Calling it 'false' would be saying that it is a lie. Stating that it is a mis-statement is not. It IS and was a mis-statement, again, goin on what little I know. You jumped to that conclusion yourself. Read your email, that is all you're 'owed'. Your inquisitive, paranoid mind wants more, but you are owed nothing more than a 'security' notification which should (and does) include details of the problem, and how to resolve it. Details of the problem are not required to, and should never include personal details such as 'how x got in'. I appreciate that you want more information, and were the shoes reversed, I would probably want it as well, because this was a pretty nasty thing that someone did. Based on the information I have, though, nothing was misleading (aside from a mis-statement of apache causing this) in that email. Conspiracy theories be damned, inside job theories be damned, it had nothing to do with either, again, from what little more I know.
Posted by domainworldaccess, 01-08-2008, 06:04 PM
That is all I need to know about you, sir. What is not true is false. It is very basic logic with which I am particular you are familiar, but which you seem to have conveniently, at least for the sake of this thread, forgotten. You should have been a lawyer, not a tech nerd. I have lied to noone about anything. I am particular of 2 things: 1 - This too shall pass, and 2 - more shall be revealed.
Posted by PH-Kev, 01-08-2008, 06:11 PM
ok tom, so we can ask matt that you have been advising on the issue.
Posted by IH-Chris, 01-08-2008, 06:30 PM
If you were on the other end of the stick you would be right there demanding and nit picking every little inconsistency you can find. That is human nature to a particular extent. Since you know more than most, your cool with it. I see only one biased member in this post and it's surely ruining any credibility of opinions. THE END Let's leave the rest of this thread for more constructive post such as Stevens posts. This is WHT, not WHMCS forums. I think it viable to continue discussion to know the risks. Why hide the risks? For some people it's not "how to make it better", it's about exposing the weak parts and improving from them. Thanks For your sharing the information Steve.
Posted by David, 01-08-2008, 06:40 PM
First of all, as a client, I feel I'm well within my rights to know a sliver of how whomever it was gained access. Simply making a statement that it was an 'apache exploit' (when it clearly wasn't) leaves a lot to be desired. We're all operating the same scripts and I'd like to ensure that our own aren't equally as ripe for exploitation. As with any closed source system, you're going to have the random 0day or hack here and there -- security issues are expected in an ever-advancing world where there's more crackers & even more whine to go with it. I still feel we're being left in the dark as clients though. What if the issue was a direct exploitation of WHMCS itself, even just letting us know that a security update will be arriving soon would be worthwhile. The bulk of my own fears come from the fact that someone was: 1. Able to exploit Matt's servers. (That's life though, exploits happen) 2. Then able to implement his own code into the available downloads / codebase; 3. Worst of all, unknowingly to the developers, it was released for potentially several days (if not longer) I believe that we're all more than welcome in knowing where the exploit occurred simply so Matt can explain to us how it's being prevented in the future. "Apache was exploited" sounds like an uneducated answer to me and if that's what he knows about it, we're going to have this reoccur within a couple of weeks again. There needs to be very thorough version checking, md5 checking and monitoring on Matt's end if he's going to release anything publicly for download. The sad part (and slightly beneficial to us all) is with WHMCS' decrypted code now being available throughout the net, as of last month, the codebase is going to be audited hard and we're going to see the fruits of that now in the new year. I'd recommend we all implement thorough file version / md5 checks of our own, Matt certainly isn't giving us much of a heads up on where there are potential problems. He's got enough of his own.
Posted by dkitchen, 01-08-2008, 10:46 PM
People who code things like this (from the source of the WHMCS login script), should not be allowed to write software: That is incredibly poor, and amateur coding. Last edited by dkitchen; 01-08-2008 at 10:50 PM.
Posted by ramdak5000, 01-08-2008, 11:29 PM
Well, my 3.5.1. install is safe. In case it helps anyone, I downloaded and installed it on 15th December 2007 at about 5.20 p.m GMT.
Posted by rts2271, 01-08-2008, 11:50 PM
Don't cry about it. Get those files removed. If you really stopped and looked at all the "exploitable" software out in the wild both open source and closed the numbers are staggering/ At least here's a vendor that comes forth and lays the truth at your feet instead of sandbagging like Modernbill or worse Microsoft.
Posted by David, 01-08-2008, 11:54 PM
The vendor came forward with the truth?! "Apache did it! *wipes hands*" The vendor hasn't told us a single thing other than tossing the blame elsewhere. I can assure you, this is going to get really ugly, really fast.
Posted by whmcsguru, 01-09-2008, 12:32 AM
Feel free. I can't really say any more than I have on it. Probably not. While I would want to know a bit more, I would also accept that it's NOT MY PLACE to start stirring up rumours, accusations, and angry mobs going out demanding 'more information', because, as a client it isn't. That doesn't make what 'you feel' a fact. Your rights are very simple, when it comes to software: A> Download software B> Use software C> Get support for said software They do not extend to you knowing every minute and miniscule detail that goes on with said software developer's server, the modules within, or anything else. Your rights END at the software level, at the service level. No more. And just HOW do you know that it wasn't an 'apache exploit'? Have you obtained further information from Matt? You still fail to grasp one very simplistic thing. People have different levels of understanding and technical ability. Some would consider apache+php+perl, all in one big basket, and make a statement based on said consideration. Some would consider the linux 'kernel' version the version of linux they're running (I can't count the times I've seen that one over the years), and they make a statement based on said consideration. Some would consider an IE hack a Windows hack, making again a statement on said consideration. All of the above are partially correct, but based on the user's understanding and level of knowledge they are fully correct. I'm not calling Matt dumb by any means (he's not), but maybe he's like the standard developer who could give a damn about the separation of apache,php,modules,perl,etc, and throws it all into one huge mess. I've seen that one a few dozen times as well. If my suspicions are correct (and judging by my own conversations with Matt in the past couple weeks, they probably are), then this did NOT happen due to a 'code' error, but something else entirely. It wasn't. Again, I can only go off of my conversations with Matt, but going off of those, it wasn't. Here, I agree fully that this is scary. In fact, it's above and beyond scary. This has happened a few times with CPanel as well (god knows I can't remember when the last time it happened there though), this happens with almost every major 'development' organnization at least once. You're welcome to politely ask, you bet. You're not welcome to walk up like an unruly mob and start the accusations, insinuations, and all out theories that have been done here. That won't get you anywhere at all. If Matt doesn't WANT to give more information out, he's not legally required to. Or maybe, juuuuuuuuust maybe he's holding that bit of 'information' aside to lure people back in, or for legal reasons. Whatever the reason, due and appropriate notice was given that this took place. That is all we (as customers) have a right to demand and expect. Agreed, MD5 is good, but it's only useful if people are going to check it every time, and, only a handful of people will, out of the vast variety of WHMCS users. I don't see how this is beneficial at all. Firstly, you have a bunch of armchair quarterbacks trying to tell Matt that he's doing things wrong. That doesn't help at all, especially when every 'armchair quarterback' has their own way where it should be done BETTER, even though the way he's doing it may just work, and be safe. Secondly, you have to look at the fact that this code itself (even though it's OS) can't be trusted as coming directly from Matt. Thirdly, this puts more pressure on Matt, whom I'm sure is pressured enough, given the crap he's had thrown in his lap recently. This only SLOWS development, it doesn't grow it. So, what does all of this mean? Well, more time, slower development, more prices to Matt. Who gets to pay those prices? We do, the clients. YaY, just what I need, more expense and slow development. Wow, he's not giving us a 'heads up'? Really? Becauuse I do believe I received an email with a pretty big 'heads up'. I also recall a few months back, Matt immediately jumped on a javascript exploit, and had it fixed within < 24 hours. I DARE you to find another developer of a major software organization that will have THAT quick of a response time! I'm not saying the code is flawless, or it's incredibly secure, because I've SEEN what was posted, I've SEEN variables, and I KNOW it isn't. All you need to do to see this, though, is to turn E_ALL on, just for 30 seconds, and then try to load up WHMCS. You want to talk about nightmares? Yeah. What I AM saying here is that this specific incident was (most likely) NOT caused by a WHMCS exploit. Only because of unruly individuals such as yourself who go out demanding what isn't their right to demand. let it be, let the dust settle. This isn't an inquisition here, and there's no reason to gather individuals for a lynching party. The only one who is OWED an explanation is Matt (by his server management company). Anything else we get from him, going to be above and beyond what he's legally required. Last edited by whmcsguru; 01-09-2008 at 12:37 AM.
Posted by IH-Chris, 01-09-2008, 12:43 AM
Why don't you quit rambling on and let this forum evolve into something creative. Last edited by IH-Chris; 01-09-2008 at 12:46 AM.
Posted by Steven, 01-09-2008, 12:47 AM
Tom have you actually looked at any of the code. You being a php programmer should be disgusted.
Posted by whmcsguru, 01-09-2008, 12:47 AM
Creative? Oh, you mean like the typical accusations and lynch mobs that happen @ WHT? Sorry, not happening. I , for one, don't go for that kind of thing, especially when the individual who is being attacked is completely unworthy of said attack. If you want to continue the baseless attacks, then you'd better expect a response to those attacks. No, I know enough about the crap in WHMCS to know not to look there . Like I have said (and will keep saying), I'm NOT saying the code is the most 'secure', or the most 'put together', but that is NOT the issue here. The issue is the fact that someone got inside of a server, NOT 'does Matt's code need auditing', which I've said from a LONG way back it does.
Posted by IH-Chris, 01-09-2008, 12:51 AM
You reply like you are a Speaker for WHMCS, but yet back peddle when questions or comments are thrown. Some were not directly pointed to you and if you are not a speaker or have anything to add... why reply? (note: this is my opinion and my opinion only)
Posted by whmcsguru, 01-09-2008, 12:56 AM
Actually, I have yet to reply 'like I was a speaker for WHMCS'. I have made statements that defend whmcs, yes, but I hve not replied 'like I was a speaker for whmcs'. As far as back peddling, never once. Maybe you interpreted it as such, but that's not the case. I've stood firmly by statements that I have made.
Posted by IH-Chris, 01-09-2008, 01:20 AM
Gotcha have a great night. Keep us informed if you are at liberty to go in more detail.
Posted by Mekhu, 01-09-2008, 02:30 AM
Tom, I just finished reading this entire thread and I'm amazed at your stance towards the situation. It's obvious that some of the more detailed information you have access to is keeping you calm. Imagine not having that information... would you be singing the same tune? Likely not. Your attitude reminds me of my 3 year old nephew... "I know something you don't know" I agree with the others that the initial email from Matt didn't include any reliable information. WHMCS is lucky I am not a client of theirs. I would be on the phone all day long until I received an explanation... a proper explanation. Now, for David, Stephen, etc. You guys are all clients of WHMCS? You all use WHMCS in a "live" environment? Why are you not demanding more information from Matt? Why are you not considering a custom billing option? Just imagine some hacker with your hosting company details and maybe even access to YOUR WHMCS... that's a scary scary thought. Lastly, why does everyone continue to support this software if it's coded so badly, etc? Last edited by Mekhu; 01-09-2008 at 02:36 AM.
Posted by Steven, 01-09-2008, 02:45 AM
I own a license to WHMCS, but currently do not use it. I do have some management clients who DO use it, which is why I am so concerned over the issue, and I am urging that clients move to other software. I just wish the situation was handled better, we still have not seen anything from Matt official on the board, and I have heard multiple reports of peoples threads being removed from the whmcs forums. I myself, am working on a custom support desk. I actually saw a 'hacker' gain access to a WHMCS tonight and do nasty things. There wasn't even a successful login according (they all went to incorrect logins) to the access logs yet they were able to upload downloads and view client information. Last edited by Steven; 01-09-2008 at 02:48 AM.
Posted by Mekhu, 01-09-2008, 02:51 AM
Thanks for the reply. Your posts all make much more sense knowing you're not actively using WHMCS for your clients I think the fact that Matt hasn't commented here or directly to his clients is the unsettling thing. It's almost like a "if I remain silent it will go away" feeling. Thanks again for the read. Been a while since I front to backed a thread
Posted by whmcsguru, 01-09-2008, 03:02 AM
See my previous answer to this question. I can't COUNT the times this has been done to Cpanel over the years, remote inclusion, etc. Did I go screaming then? Hell no. Would I go screaming NOW? nope. You may see it as a 3 year old attitude, but it's hardly that. At one time, I might have passed the information I have on to someone else for verification, just so they can say 'hey, he's not lying', but there's no way that's happening here.. The difference between 'running screaming', and saying 'this needs to be addressed'? There's a time and place for everything. Right now, Matt has enough to do with the lynch mob attitude here. In time, this will be addressed, just like globals, and clear text passwords were. YOU go out there and put together a billing application, do it, I dare ya. it's not exactly 'easy'. Unfortunately, as far as it goes, WHMCS may be bad (or poorly) coded, but I have yet to see something that can be integrated as well into, OR something that is as well supported in the field. I don't have the time to write my own app, Modernbill is crap, everything else that I've tried is crap and can't even stand up to WHMCS. Matt knows he's got some work to do, and unlike MOST out there, he's actually made an effort to DO this work. Not 6 months ago people were whining because it uses 'globals' (rather used, past tense), and he fixed the problem, or so he says. When it comes to support, you won't find anything better. The very same thing can be said about Kayako here. Poorly coded application, MORE insecure than WHMCS, in the respect that Varuun stores CLEAR TEXT PASSWORDS in the database (which just like WHMCS stores login info in a plain text file), yet, try tearing kayako down, you'll get a mixed result here. Every piece of software has vulnerabilities, and issues. I challenge you to find a developer more ACTIVE at getting those vulnerabilities fixed and addressed than Matt. And if I were Matt, I wouldn't be , either. The second he does, he knows he'll get attacked, left and right, I'm sure. This place isn't exactly well known for logic.
Posted by Steven, 01-09-2008, 03:16 AM
I sort of disagree. I don't think it would have blown up as big if we had questions answered.
Posted by whmcsguru, 01-09-2008, 03:29 AM
and one could easily argue that it wouldn't have blown up as big had people accepted the answers given. You're not owed anything. Does CPanel OWE people answers when their software is hacked? No. Do they OWE direct details as to how the server was attacked? No. Does Microsoft OWE everyone answers when their servers are attacked, causing WGA errors? No. Are they obligated to post them? No. Does Kayako OWE anyone answers for his lackluster attitude in kayako's password security? No. Is he obliged to post the reasons why he's chosen THIS route, rather than another, more secure route? No. You see, what you're OWED as a client has been given to you. Matt made a very reasonable email, even owned up to the fact that someone got into his server. Instead of saying 'ok, we'll fix it', the mob assembled here and started tearing things apart, throwing out conjecture, speculation, attacking anyone who might just try to throw a calming voice, or even reason out there. As I said before, we do have particular rights , as license holders, nothing more, providing licenses are current: A> Downloading software B> Usability of software C> Support for software D> Notifications of critical issues (which were provided). Is the fact that the files got injected disturbing? You betcha, and believe me, it SHOULD be addressed. Is the typical lynching attitude going around here going to SOLVE anything? No. In fact, what this will most LIKELY do is cause a developer to tell clients where to go, close up shop, especially when you're talking just one developer. Matt's got some pretty big shoes to fill, and , personally, rather than demand answers, I'd be more than happy to sit back and wait, making sure that the problem was taken care of. He's got a GREAT history of taking care of issues
Posted by IH-Chris, 01-09-2008, 04:49 AM
If you don't know or can't say anything then Hush. For crying out loud Tom.. Unless you are officially speaking for WHMCS, your two cents don't mean anything right now. You blubbers are excessive. Please go to WHMCS forums an plead your case. Did they remove them already? I have sensitive information stored on in those databases. I have every right to know what was accessed to ensure the proper information is changed. Since you are one sided, just let it go. Move to another thread.
Posted by Mekhu, 01-09-2008, 05:09 AM
Maybe I'm of wrong thinking but I don't feel the comparison between cpanel and a billing software solution is the same. I'm not about to get into it but that's how I feel. As for the rest of your post, why do you feel the need for such attitude? I was simply asking why people would continue to use a product that everyone including yourself has called poorly coded. I appreciate your points regarding Matt. He sounds like he runs an honest company. Next time, I could do without the attitude as mentioned. Lastly, your little "dare" comment. All custom coded
Posted by StevenG, 01-09-2008, 07:27 AM
Sure, if they leave sloppy code around or C# files that allow people to compromise a server, that makes them responsible. What planet are you on.. if you pay for software, the developers are in the firing line, end of story. People are forgiving, with decent explanations, folks can move on make their own fixes quickly and prevent such issues, not everybody relies on the developers to issue a fix, all we want is information for the most part.
Posted by astutiumRob, 01-09-2008, 07:54 AM
I'm not going to get involved in the bickering that appears to be going on in the thread at present, but a quick answer to ... All *most* people are interested in is does the software do the job - it's only the pedants amongst us (I count myself as one) that care about the style and quality of the coding. Having worked with software companies for over 20 years, I am often appalled at serious commercial applications written in utter spaghetti - and these are things costing £xxx,xxx ! Why do people like WHMCS so much ? Because its an affordable solution to a problem, which unlike many of the competitor products is actively suported and developed. Is it perfect - not at all, to-date I think I've found > 100 mistakes and problems with it, the majority of which either have been fixed or are down on the dev-schedule to do. Does that stop me using it in a production environment for particular things - absolutely not - just like I use M$-excel and that too is riddled with bugs ! bear was quite right to remove the filenames, not everyone sees WHT or regular accesses the vendor forums, and giving "interested parties" additional information to compromise those users is not a good idea. Anyone who rolled out a version of any critical system without actively testing it, seeing what they installed and onto a shared machine with the functions needed for things like c99 to execute needs to seriously rethink their own setup.
Posted by StevenG, 01-09-2008, 09:24 AM
Sorry thats just BS, if you pay for software, that is not to be expected, no matter what youpay for it. I've never installed whmcs or run with it, but this is just common sense, developers are in the firing line if they sell software. They Must 1. Tell people what the problem is as detailed and honest as possible 2. Tell them how to fix and apply a patch if they know and have made one Simple as that.
Posted by InfiniteTech, 01-09-2008, 09:31 AM
Even though they carried out the upgrade for me I am still a bit scared. Backing up everything like a mad goof but what I am scared is if the attacker steals the data? Its customer's private details in there, something which they trust and have faith on us! ... Edit: Come on guys, lets no hammer Matt. Just look at his wonderful software. Works like a charm for all our needs. I do agree that there is no room for error in such instances but he too is a human and we shouldn't go bang, bang and bang on him. My view... Last edited by InfiniteTech; 01-09-2008 at 09:35 AM.
Posted by StevenG, 01-09-2008, 09:34 AM
If you're that worried, then you need to develop your own software or choose another option - paying for software is the confidence that most people use, after that they devlelop their own so these issues don't crop up.
Posted by ZoneServ.com, 01-09-2008, 10:44 AM
WOW
Posted by David, 01-09-2008, 11:23 AM
Rao, No one is hammering Matt. We're just clients looking for answers, the related threads are being removed on the WHMCS forums so that only leaves us here.
Posted by DecaHolding, 01-09-2008, 02:20 PM
I checked our install and no nasty files were found. However it is still scary to keep the software in public, if the hacker would just add a simple backdoor to an already present php file (like login.php). I hope Matt will address this and checks ALL php files or replace these with 100% "secure" files. BTW, was WHMCS hacked through Apache? I do remember a while back that their PHPBB isntall was hacked! Maybe the hacker replaced the files since then? Other then that, I truely hope Matt will look into this hack attempt better, I doubt his server got exploited through apache 1.3.39? If it would happen, surely it must have happened to someone else on this planet aswell?
Posted by PH-Kev, 01-09-2008, 02:21 PM
The problem is Matt's reluctance to comment, he is always quick to reply to forum posts, yet... on this occasion he seems to be shying away.
Posted by McRox, 01-09-2008, 02:36 PM
I am very sure, there was a topic posted on their forum about this security issue, but it is gone!
Posted by David, 01-09-2008, 02:41 PM
Also very disappointing, sweeping it under the rug on his own forums is a surefire way of calling this all into question. Why send out an e-mail about it & then delete any threads on your forum about it, is it not something worthy of discussion?! Our own client details on Matt's server were probably compromised or certainly close to it. This needs his attention but he seems to be on vacation. In essence, time to choose a new product or make our own.
Posted by whmcsguru, 01-09-2008, 03:00 PM
While there MAY have been other topics (I can't speak for any other topics there), topics calmly discussing this issue, such as this still remain, and Matt has replied there. Not at all. He replied to the topic as necessary, confirmed it was from him. This was a 'defacement', not a hack, an sql injection, that's all. This was a few months ago, and the files were not there then. Is it POSSIBLE that this is how the person got in? You bet. However, the chance is pretty slim. Again, try to understand that many developers think of the whole 'apache' environment as one. This includes php, apache, perl, etc. It doesn't take a tech genius to write code. I'm not saying he couldn't have worded it better, but to avoid going into further details would probably have been his best bet here. See above link. A thread that CALMLY discusses this and doesn't encourage or promote demands such as 'we demand more information' has been up and running since this was sent out, and Matt even confirmed the email. Threads with the tone such as this one are certainly going to be deleted, or closed immediately, and rightfully so. Again, with the theories that are incorrect. Firstly, Matt doesn't use his own billing system for anything but support. He's stated this publicly a couple of times. Why? Because of licensing. For orders and 'customer details', Matt utilizes a 3rd party licensing application (phpaudit) and because of that, all details are processed through THAT. This isn't developed, or even handled by Matt, so there's minimal chance of this. Really, nobody's 'hammering' matt? Seems like you were just throwing some pretty nasty accusations out there, and spreading some pretty decent rumours. Again, if you don't know details, don't post. If you DO post without knowing details, then, you're simply adding to drama, creating more theories that are incorrect.
Posted by ub3r, 01-09-2008, 04:32 PM
Tom, why do you feel so compelled to defend whmcs? What stake do you even have in this?
Posted by Steven, 01-09-2008, 04:34 PM
Tom how many keyboards do you burn up a year? Side note: I saw a hack happen involving whmcs last night, and I had a member here pm me stating they saw similar activities.
Posted by DecaHolding, 01-09-2008, 04:41 PM
Just because you called it a defacement, doesn't mean that it isn't possible. If you say the chance is pretty slim to do it through the phpbb hack, then the chance that it would be hacked through apache is ZERO. Come on, so many servers are using apache, and yet only whmcs got hacked through apache? I already understand that Apache is completely separate from PHP, maybe you need to understand that. The fact that you say that many developers thinks different, makes this thing even more worse. I know Matt knows his stuff, but this security issue is completely unacceptable and I truely hope that Matt will update everyone about the taken actions. Tom, please stop defending this situation, it looks stupid and will damage your own reputation/credibility.
Posted by whmcsguru, 01-09-2008, 05:19 PM
How, do tell? Is the developer required to know the ins and outs of Linux, including the kernels, included modules, and the like? No. What is the developer required to know? How to develop their own application. You're harping on one mis statement made by Matt, blowing it completely out of proportion. It is NOT surprising that a developer lumps everything into one, from a developer's perspective, if it works, it's good. One of my larger clients through most of last year couldn't tell you php from apache, yet ran an extremely profitable programming enterprise. They're not required to know the two apart. That's what the 'management' team is for here. A programmer is just a programmer, a coder, someone who picked a book up, or is self taught. They're not a systems administrator (usually), know jack all about management (usually), and really don't care to. They specialize in programming and development, not administration and management. if a programmer lumps something in, it's probably because they don't know what 'part' of that something to separate. Wow, you're reaching aren't you now. Hey wait a minute, did I say it was impossible? Oh, no I said it WAS possible. To an administratively technically oriented individual, you're right, the 'chance' that it woudl be hacked through apache is zero. The CHANCE that it would be hacked through php? Much higher. However, lumping all into one inclusive thing, very common among developers. So WHAT if he said 'it got in through apache', let it die already! Here, I agree. The situation that allowed this to take place is unacceptable, and any smart business individual would know to act on that. If the individual doesn't understand Linux (as his wording of his emaail suggests), that's fine, then they need someone to pro-actively manage their servers. I'm sure we can expect something of the like from Matt, as he has ALWAYS been good with responses. I highly doubt it. If he does, good, but he's lived up to his end of the deal. Maybe something in the forums saying "we're doing XXX to prevent this in the future", but then the hacker(s) will just find a way around XXX. Best policy is to keep them guessing. Obscurity may not be good 'security', but telling people exaactly what measures you've taken to prevent this, even worse. What's ruining reputations and credibility here is the insane accusations and lynch mob attitude coming from suppossed 'professionals' here. Demands like 'you owe us more' are never going to be met nicely, and they are always irrational. If you don't LIKE the information given, hey, be polite, be nice, and ask for more. You never know what you'll get. WAAAY too many I typically go through 2-3 a year, but that's off the topic here. Because Matt is a standup guy who doesn't deserve the treatment he's getting here from individuals who have nothing better to do with their day apparently than to try to trash someone else's business. Asked and answered how many times now? Way too many. I have NO stake in this at all. My guess is that Matt has said all he's going to say about this publicly. If you don't like the answer given, by all means, open up a ticket, privately, or email him. He's ALWAYS up for a good debate . Maybe you can get more from him. I'm not suggesting that everyone email Matt demanding things, but come on, show some respect. If he's chosen not to release more publicly, then by god, sobeit. Move on with your life. If you don't like the decision, take it up with him. If that answer doesn't suit you, hey, I don't remember ANYONE forcing you to use WHMCS (not that I'd recommend leaving over this specific incident, mind you).
Posted by Tina J, 01-09-2008, 05:36 PM
Agreed. Matt and team do a great job. I've dealt with so many prepackaged software solutions and their respective authors over the years. I'm continually impressed with how solid Matt supports and stands by his product. --Tina
Posted by TonyB, 01-09-2008, 05:39 PM
After reading this topic I got curious and had to find myself a null copy to see this source. As I had anticipated a year ago I can finally confirm looking at the source that it is indeed as ugly as I had thought. I actually even use this software as it's what I like to say the best of the worst. I don't feel a single billing solution right now provides my perfect solution. WHMCS just is the closest at this point anyways. As for this exploit on their server. I could see one way of it happening is their demo script. At one time this demo script allowed you to upload any file type through the admin area. I had informed Matt of this quite a while ago and I believe he changed the demo. But a simple mistake when upgrading the demo could result in the exploit coming back. So if the demo wasn't on it's own server I could see that being the actual way in.
Posted by tickedon, 01-09-2008, 06:44 PM
Actually... my understanding is Matt has built his own layer on top of PHPAudit. Certainly my experience with the ordering and client area at WHMCS isn't PHPAudit. Quite what he's done I'm not sure, but, it adds a further dimension to the issue. Personally, I think every WHMCS customer has every right to be questioning Matt (and not Tom, Bear or anyone else...) about exactly what happened, how it happened, the issue(s) with WHMCS's code, and what will be done to prevent it in the future. Importantly though, WHT does not stand for WHMCS Hosts Talk. If someone wants to ask Matt & co a question, they should do it on the WHMCS forums or support desk. Speaking as a developer myself, however, I certainly wouldn't be rushing to reply to some people on here if they contacted me the way they act on here. Being calm and professional is generally (imho) the best way to get things done Pretty much every major billing system in this industry has had some sort of security issue at some point. Nothing in life is 100% secure or safe, it's a "normal" part of the software development process for their to be some sort of issue. The key is how it's dealt with and (crucially) whether it happens again or not.
Posted by whmcsguru, 01-09-2008, 06:49 PM
You're right, my mistake there. Agreed, as long as it's done civilly, and not 'demanding' anything. If Matt doesn't want to go into details, he's probably got his reasons.
Posted by IH-Chris, 01-09-2008, 07:27 PM
Well, To add some constructive.. I'll post an interesting chat from a few knowledgeable coders. You be the judge:
Posted by hcn, 01-09-2008, 07:34 PM
if this is correct, Matt better fix these ASAP. further, i also believe that even looking at the code is some sort of stealing.
Posted by Soskel34, 01-09-2008, 07:50 PM
This may sound horrendously stupid, but who cares what information the hackers may have stolen! What can they do with it? WHMCS, being as popular as it is, I trust the WHMCS team to maintain a secure system, and in the rare event of an attack, that they can deal with it accordingly.
Posted by PolurNET, 01-09-2008, 07:51 PM
Could someone please tell me if clients of WHMCS license resellers also received this notice? I didn't, and I can't find the information of what files I should be checking. I logged into the WHMCS forum and can't find anything about this either... I'm really confused in this 7-page thread about the issue. Thanks for any help.
Posted by Steven, 01-09-2008, 07:54 PM
Umm hackers could potentially get your clients info and your server info if they correctly use the info they have obtained.
Posted by Littleoak, 01-09-2008, 08:00 PM
This is absolutely ridiculous. We're switching to ClientExec immediately.
Posted by David, 01-09-2008, 08:04 PM
Ha, wait. You were actually serious? I'm not one to stick up for WHMCS given the recent events but ClientExec is much worse. WHMCS has completely lacking sanitation, needs a rewrite and was built from the ground up on sand but it's still 10x better than ClientExec in every respect. You're getting ready to jump from the pot into the fire. Edit: Odd, seems you've been using ClientExec for an awful long time.. based on archive.org Go away. Tickedon, If the related threads at WHMCS weren't being deleted mysteriously, we'd probably obtain our information there instead. I suppose it's just a magic forum bug eating them Last edited by David; 01-09-2008 at 08:08 PM.
Posted by whmcsguru, 01-09-2008, 08:11 PM
What Steven said. I'm not really sure I'd be that naieve , but for the most part yes. As long as this issue is publicly recovered from, then the trust is there. Matt's been good in the past about recoveringg from isssues, we'll see where he sits now. You should have, as your license is (IIRC) managed through your WHMCS account at whmcs (ie: you download from whmcs, etc), so that should be how he mailed things out. Maybe he did it differently though Agreed, and it'd be best if the code went through a professional audit, not some kid who 'claims' to know everything. There are a number of holes in things judging by the post just seen. Simply stating 'this is fixed' is no longer good enough. Matt NEEDS to have a professional auditing team (not just some kid hacker) go through this code (and I've said that for a while). Agreed, and the EULA is very clear on licensing, decryption, etc: Distributing stolen code is still theft. Posting it on public forums (way to go genius), theft. Whether or not the code is shady, hackable, or anything else, it is theft. This is what professional auditors are for, and it is, most definitely time for a professional auditor, brought in by Matt to go through the code And if your threads were addressed in a respectful, non demanding way, they wouldn't be deleted, now, would they? Last edited by whmcsguru; 01-09-2008 at 08:16 PM.
Posted by Soskel34, 01-09-2008, 08:17 PM
I was referring to someone earlier in the thread wondering if the hackers could have also stolen your WHMCS information. Not the information of your cleints, but you, as the person who holds an account on WHMCS.com I don't see what the hackers could possible do with this information.
Posted by David, 01-09-2008, 08:34 PM
What, like your credit card numbers & passwords? Not much I suppose, as long as you use unique passwords for everything.
Posted by Annex, 01-09-2008, 08:40 PM
I disagree, if you haven't purchased a license, then you haven't agreed to any EULA, and with so many websites with backups of WHMCS stored in directories it wouldn't be very hard to obtain the billing system without the license. The real problem here lies with IonCube, their encoder can't guarantee encoding without the possibility of reverse engineering, anyone who is using the encoder has a risk of their source being discovered. About the legal issues, there isn't any law that prevents the obtaining of the source code in any country, if the code is copyright, then you can't sell or redistribute without legal issues in the first world countries, but 3rd world countries could care less, and lastly using WHMCS that is nulled is stealing because you are using the commercial application for free, however if you modified the source code you would be exempt from any theft case. Posting a link to software that is stolen isn't illegal by any means either, otherwise telling people where they could buy drugs would be illegal, which it isn't. If anyone harassed you over posting a link legally, you could say that you never put it up there, and they would have no shred of proof that you put it up there, making any court case get thrown out. To also clarify, I haven't hosted whmcs anywhere, installed it or downloaded it, or even had a license in my name, however I have used an installed and paid for version.
Posted by Littleoak, 01-09-2008, 08:41 PM
David, I'm not quite sure what you're referring to. We've been using WHMCS for three months now. Today is the first time a ClientExec installation has been active on our website. Are you trying to discredit me by lying? Why would you do that? I'd like an apology for your rude behavior. Yes, I was serious. After reading Chris' chat log I discovered that he was absolutely correct. It is not hard to hack in to a WHMCS installation. That is unacceptable for software that stores private information. What would you recommend as an alternative to WHMCS if not ClientExec? ModernBill, AWBS, Ubersmith?
Posted by Soskel34, 01-09-2008, 08:45 PM
It is the credit card company's responsibility to make sure purchases are authentic. If a hacker were to use your CC, you should be covered. I might be wrong... And yes, I have a unique password for most things David - I can't find any records on archive.org for http://littleoak.net/ Littleoat - you are still using WHMCS https://www.littleoak.net/support/serverstatus.php Last edited by Soskel34; 01-09-2008 at 08:50 PM.
Posted by tickedon, 01-09-2008, 08:45 PM
Biggest load of non-sense I've heard in ages. Pretty much everything you've said is wrong, at least in the USA and UK. In terms of ionCube, it's the most secure solution available on the market at this time. Zend is (unfortunately) rather vulnerable to instant and automatic 'reverse engineering'. ionCube, at this point (and to my knowledge), still requires someone to manually sift through trying to reconstruct the files. Anything is possible with enough time (and money). Like all DRM and similar, it's eventually cracked. If people like Adobe, Microsoft etc... can't keep their products secure, I'm pretty sure the chances of anyone else keeping their stuff secure is zero (presuming you are 'big enough' to land on the crackers/hackers radars in the first place...).
Posted by 10101, 01-09-2008, 08:52 PM
I had no clue that WHMCS was hackable until I read this thread. Now I'm not sure what I should use as a billing system.
Posted by David, 01-09-2008, 08:55 PM
Ah, sorry. I had thought you installed the two in the same locale which it seems you have one under 'support' and the other under 'clients'.
Posted by IH-Chris, 01-09-2008, 08:59 PM
My point has been proven.
Posted by Littleoak, 01-09-2008, 09:00 PM
I accept your apology. We added the "clients" area earlier this month to try ClientExec out. This thread prompted me to make the switch. It was rather tedious transferring all of our customers' information by hand. We haven't attempted to customize the template yet. I would be genuinely interested in your thoughts on billing systems if you want to send me a private message. I'll bow out of this thread now that I've shared my thoughts.
Posted by Annex, 01-09-2008, 09:00 PM
Ah but you see I'm from neither, and believe me, in the US they can get you to court, but you could get out on technicalities pretty easily. I've been there and done that, someone kept hitting me from behind with a shopping cart when I was younger in the US so I overturned it and broke most of the contents, worth maybe $50 at the most, He tried to sue me from mental anguish and I did win my countersuit and he ended up getting nothing. Now It may be wrong as to the legalities of it, but look at the OJ simpson case, if you show up and they have irrevocable proof that you committed the crime, you can still get out of punishment through technicalities. And also I never said it was the worse or that Zend was any better, which it plain and simply isn't. Its just not good. Microsoft has many customers and likely their products are the target of many hackers, On windows 2000 they were able to keep the source code hidden for nearly 6 years before someone claimed to have it and wanted to sell it. When asked to prove he had it, he magically disappeared. The fact of the matter is microsoft has kept almost all of their product lines source code a secret. Not that it can't be hacked or is secure, but nobody has the source code. As for apple, nobody bothers to hack macs because the audience for hacking is so small it wouldn't be worth the time, but there are several exploits for Tiger which was supposed to be the big thing and triumph over windows. Point of the matter, don't get ahead of yourself when it comes to law.
Posted by David, 01-09-2008, 09:02 PM
Tickedon, The point isn't that WHMCS was decrypted, that's just inevitable for any software. The point is it's getting exploited feverishly right now due to horrible coding practices. If you do continue using WHMCS, I would highly recommend you ensure that at the very least the administrative section is locked down to allow only necessary IP addresses access to it. While this is a smart move to begin with -- it's now imperative that you do so. I would also highly recommend you audit your access logs with a finetoothed comb. I would suspect that a lot of you have been exploited without your knowledge already. I would expect Matt to be dishing out information to his clients about this right now but sure enough, silence. Last edited by David; 01-09-2008 at 09:06 PM.
Posted by Annex, 01-09-2008, 09:08 PM
At this point they should just continue to release it open source if the coding is so bad and its out in the open already, and everyone really should be doing that at this point. I really do want to see how bad the code is myself before I make judgements, but also for trivial knowledge litespeed had an exploit that allowed users to download any file on the server the knew the weburl to, so much for litespeed being better .
Posted by Cody Salter, 01-09-2008, 09:35 PM
Your funny. I hope your not serious. WHMCS has it's share of issues, but ClientExec puts that to a whole new level. [I have used it and this is pertaining to the features and usability.] Last edited by bear; 01-14-2008 at 10:24 PM. Reason: By request
Posted by TonyB, 01-09-2008, 09:44 PM
I don't think most of the worries are about the few files that were included in some of the 3.5.1 installs. The worries are with the source released and the quality of the code. As some have suspected the code inside is very ugly and it is also full of potential exploits. So it makes one wonder if the fact it was encoded was a security blanket with regards to really auditing the code. I guess we're all going to wait and see what happens now.
Posted by Mekhu, 01-09-2008, 11:19 PM
I think that's the sad thing. Everyone talks as if something bad is going to happen yet you do nothing. Maybe people should begin working custom scripts into their business plans? Good luck everyone.
Posted by ph23man, 01-09-2008, 11:37 PM
Honestly, I was adopting a wait and see approach because my install didn't have the added files. But now all this about the source code and numerous vulnerabilities throughout the entire application has me worried. Looking at the chat that was posted, they're literally ridiculing the entire application. I'm thinking about taking my entire WHMCS install offline until this is all sorted or moving to another platform. Is this just people spreading FUD? If any qualified individuals who've seen the source code want to weigh in I think that would be helpful. But then, due to the EULA, admitting to seeing the code is admitting to theft isn't it? Matt and WHMCS need put out some official word on this. There is almost nothing about this on their forums except for one thread about the security notice email so it seems they are exercising editorial control. If indeed the coding is that bad, I also agree they need to bring on professional outside help to audit and secure the application. But it still doesn't bode well for WHMCS' future considering Matt is still the primary developer and presumably the source of all this faulty coding. Overall, these developments are every disappointing. Last edited by ph23man; 01-09-2008 at 11:41 PM.
Posted by Cody Salter, 01-09-2008, 11:47 PM
I don't think it is an issue now, but it surely could be in the future. I agree that Matt needs to speak up and let us know whats going on and how to proceed.
Posted by Annex, 01-09-2008, 11:48 PM
Not at all, If you haven't agreed to an EULA you can look at the code all you want as long as you don't distribute/resell it.
Posted by whmcsguru, 01-10-2008, 12:08 AM
Wrong By Viewing the source of someone else's code, without paying for it, you have effectively stolen someone else's work. That is illegal, and theft. If you walk out of the store with a pack of cigarettes without paying for it, that is still theft. It doesn't matter if you walk back in 5 minutes later and say 'hey, I forgot to pay for these', you STILL stole the pack of smokes. By taking someone's code, without paying for it, without obtaining their permission first, that is theft It doesn't matter how pathetic the code is (and I've seen worse than what's been shown here), it's still theft. You're effectively taking something that you didn't purchase, that you didn't create, and have no right to, and calling it your own, for your own purpose. Not only are you calling it your own, but you are trying to tear down the individual putting the project together in the process, but that's for another day. Theft is theft, there is no 'borrowing' of code, there is no permission granted by Matt to individuals (that I'm aware of) to decrypt this, there is no permission to distribute it given to these underground sites.
Posted by ub3r, 01-10-2008, 04:57 AM
stop being so dramatic. if they didn't want the risk of someone reading it, they shouldn't have sold it.
Posted by WHMCS-Matt, 01-10-2008, 06:18 AM
My silence in this thread has not been because I am hiding anything, or as some suggested that I had run away! It has been down to the fact that I didn't want to get involved in spending huge amounts of time in protracted discussions around the issues when clearly my time could be better spent actually dealing with the issues. As you know, I have always prided myself on responding to issues in a positive and timely manner and it is my intention to do the same with this. I am however now making a post to address the concerns raised and it will be my one and only post to this thread. I would ask again as in the original email that any concerns are addressed to me personally. Tuesday's email was sent as a precautionary measure to alert our customers of a potential breach of security on our server resulting in the latest WHMCS zip file download containing rogue files for a short period of time. It was not the result of a security weakness in the WHMCS software itself - the issue was only the zip file on our server having several files added (and none modified). We are confident that all steps that could be taken have now been taken to prevent this from happening again. I appreciate that some customers may be concerned by the events but can only reiterate that WHMCS the software was not involved. I took the decision to notify all customers of the potential files which could be in their install while only a small number of customers will be and were actually affected because security is and continues to be of the utmost priority. On a completely separate note, due to the ioncube encryption being reversed last month, numerous issues have come to light about possible SQL injection vulnerabilities in the WHMCS system. These are being addressed as a matter of urgency and this thread has only served to highlight those issues. It would be appreciated if discussions pertaining to the exact vulnerabilities are kept to a minimum to help prevent widespread knowledge of what can be used. A new update addressing these issues will be available as soon as possible. I can only apologize for the concern that may have been caused to you through the prioritizing of new features and rapid development over quality of code, and I understand this is unnacceptable but this is something that will be learnt from and I will continue to provide the great service you've come to know and love. Despite the difficulties currently being experienced, I am confident that WHMCS can continue to meet the needs of its clients and will become an even better product in the coming weeks and months. I would like to take this opportunity to thank the many loyal customers who have helped to make it successful and can assure you of my total commitment to resolving any problems and continuing to offer the very best service I can. Regards, Matt Last edited by WHMCS-Matt; 01-10-2008 at 06:26 AM. Reason: Fixed spelling error
Posted by rv_irl, 01-10-2008, 06:24 AM
I think it is good that you have addressed these concerns. I think theories and such have cropped up mainly due to silence on your part. It is understandable and I believe most users would prefer priority given to fixing those issues. However on the other hand, I do believe an active participation - where possible (maybe in your spare time if you have any) would also be appreciated to keep any wild theories and speculation at bay... Nevertheless, thanks for posting a response!
Posted by whmcsguru, 01-10-2008, 11:13 AM
Peple are excusing the theft of product and services here, which is by no means acceptable. Just because cheap thieves want it doesn't give them the right to go out there and take it and do whatever they want with it. I'm hardly being 'dramatic' by creating very decent examples here. Theft is theft, no matter how you slice it. It doesn't MATTER if you're too poor for that pack of smokes, or you just HAVE to have it to deal with your addiction, what MATTERS is that it is theft.
Posted by HNLV, 01-10-2008, 12:31 PM
Anyways....Is it safe to use this product now then or can we expect more of these in the future? What puzzles me is that nothing like this happened (at least to my knowledge) before the code was decrypted. But after it was, with in a few weeks this happens. May be its just me or may be it was just a coincidence. And David, I see your billing system is down
Posted by David, 01-10-2008, 12:34 PM
A steadfast technician decided he'd corrupt one of my drives last night. I had to migrate immediately to get back online but I'm waiting for an IP address to be assigned to the new system before I can setup my ssl certificates. It's one of those chicken & egg situations. I'm all back online, just awaiting steadfast. *whistles* Yeah, I think they took the good drive out & rebuilt my raid1 array with a bad drive & a new drive. Smart cookies. I wish they'd listen to instructions.
Posted by tickedon, 01-10-2008, 12:45 PM
Until Matt issues a patch to address the numerous security issues in the WHMCS code, your WHMCS install is vulnerable. The real issue is whether any idiots can put together scripts to find and automatically target WHMCS installations that are vulnerable prior to Matt getting a patch out. Based on my experience when I was at WHMAutoPilot, when we had a single serious security issue, installations were still being exploited a year later as a) customers hadn't upgraded/patched and b) people had bots crawling away to find and exploit the installations. Like any good software developer, I'm sure Matt can get all the patches he needs out fairly quickly - and I'm equally sure everyone here will be patching their installations just as quickly. The problem however is for those who don't hear, or don't bother - we'll likely be hearing problems of "hackers got into my WHMCS" for months to come unfortunately.
Posted by TonyB, 01-10-2008, 01:36 PM
We may not be stealing it but others are and some may just use WHMCS without a license and others may use it for malicious purposes. So I think for the devs to make the assumption the code would never get out in the wild would be very bad. Now did they do that who knows nor does it matter at this point. Fact is there is going to be many many exploits out there now. Maybe it be better if everyone was poking and prodding it whether it's theft or not as the code is out there. It be better for some white hat people to be finding these holes then some black hat guy doing it all and everyone just waiting for a hosts install to go down before a patch is issued.
Posted by jon-f, 01-10-2008, 05:06 PM
This one scared me too. I really dont see any exploits for that version of apache either. Id say either they was rooted and this happend or someone broke in through their very own app. Im sure we will never know the full details. But this surely made my heart drop and reconsider using it or at least what data is stored in it.
Posted by Annex, 01-10-2008, 05:17 PM
Guess what EULA isn't the law, All that matt could do for someone decrypting his code is revoke their license, but if they sold the decrypted copy, or nulled the system of license verification and used it, yes it would be stealing, but decrypting it isn't stealing or violating any laws, I did talk to my friend who is a Crown attorney, and he said that if the program was used without the license or if you resold the source code that was modified or the source code unmodified it would be a crime, but you can look at the decrypted version all you want and nothing would come about, now please unless you are an attorney don't post about the law. Also your analogy about smokes is an extremely terrible example for the situation. A better one would be you only buy the packaging that the smokes are in, can you look at whats inside? Well the answer is yes.
Posted by midwestmerchant, 01-10-2008, 05:19 PM
I am still using Your Version 3.4.1 as I have not updated yet..so I should be safe correct?
Posted by whmcsguru, 01-10-2008, 07:25 PM
Professionals, yes. Individuals who have the code directly released by Matt (not obtaining through this underground BS), yes. Silly kids who have minimalistic coding skills, no. This is exactly what I said about 'armchair quarterbacks' here. You take 25 people, tell them to do something, and they'll come up with at LEAST 10 ways to do it. What the code needs is a professional audit, not 100s of kids that think they know everything saying 'ooh, I can hack it'. That is a load of BS , and your 'friend' is wrong. All it takes is to be caught with the unencrypted source in your posession, and you're guilty. Whether you use it or not, you're guilty. Theft is theft, plain and simple. You can't go up to microsoft and say "I demand to see all source for Windows" before putting it on a computer, you'll be laughed out of the building. You can NOT legally own or obtain a decrypted copy of encrypted source code, pure and simple. Even IF you have a valid license for this, it is still theft. I don't care whether you agree or not, really it doesn't matter. Your not agreeing shows a pure lack of respect for individuals who spend their countless hours developing products for consumer use. The attitude of 'if he didn't want this, then he shouldn't have released it' is complete bogus crap. The attitude of 'I have the RIGHT to go through the source' is complete bogus crap. You don't HAVE that right, you STOLE the code from Matt when you started the download, and obtained the source illegally.
Posted by bear, 01-10-2008, 07:35 PM
If all the posters here are correct about the code, I would suggest you are not safe, except that your version might not have the files that were added to the later release.
Posted by TonyB, 01-10-2008, 07:55 PM
Well professional people would be the ideal situation, but I doubt it's going to happen this very instant. If people are going to poke at the code I imagine Matt would appreciate receiving reports opposed to waiting for them to show up on many of the security notice sites or even worse customers getting exploited. Suggestions on how to fix it no, but people reporting SQL injections and other exploits like that don't really need suggestions the developers simply need to be made aware of them. Right now I think worrying about trying to go after people with the code should be the least of the worries. Right now the goal should be to fix up the problems that are on their way. Whether they are customers with the source reporting them or WHMCS finding themselves I don't think it should matter. Everyone has one goal in mind and that is a secure product. If it's going to go the other way around then I could see customers either switching systems or using the null script to patch the thing themselves to keep themselves safe. My thoughts anyways
Posted by Annex, 01-10-2008, 08:02 PM
Whatever you aren't a lawyer he is, I'll take advice from someone who has a successful practice rather than someone who is angrily posting on a forum, I don't even have the source, but whatever think what you want, if you want to act like the 12 year old that is always right be my guest, I know what I can and can't do, and thats all that matters.
Posted by Annex, 01-10-2008, 08:06 PM
Thats usually the benefit of open source projects, people can patch things themselves if they are competent enough programmer, but if you aren't you can really screw your system up and open source systems generally have a lot less support than closed source systems.
Posted by TonyB, 01-10-2008, 08:15 PM
There's lots of commercial software in other industries that are not encoded by ioncube that are much much larger than these billing systems (vbulletin comes to mind). They are constantly under the microscope and it shows with their continuing effort to improve their code and not just add features. So it's not all about patching the systems, it's just having your code more so under the microscope. And no you don't even need to open every single file. Some systems encode the licensing end of things and a few key components. They don't bother closing down every single file for things like adding a user. There is absolutely nothing special about it and it's frankly very trivial. I've suggested several times if these systems don't consider running multiple branches in development problems are going to come up as the code base gets larger. You can have 4.0 as your current production branch but in the wings is 5.0 which is a rewrite of many things to help make it easier to manage in the future. With PHP5 now considered the standard it makes even more sense then ever to be doing this.
Posted by whmcsguru, 01-10-2008, 11:01 PM
We're on the same page there, fixing the problem is a priority, BUT, gettting rid of the problem in the first place is as well. And you say I'm acting like a 12 y/o? Sorry, but you might want to re-evaluate things there. A few things you need to get straight here: A> I'm not 'angrily' posting anything B> I have yet to insult someone deliberately, or act childish. Based on the last statement, I can't say the same about you. Your 'lawyer' friend is wrong, no matter what you want to say. Posession is wrong, and will get you in trouble. As long as you HAVE such code in your posession, whether you've activated it, used it, installed it, or anything else, you're in the wrong. Look at this logically here: -- Did you legally buy the source of the code? -- Did Matt approve this? If neither of the above is true, you are in posession of stolen code. You didn't legally BUY said source, and you obtained it OUTSIDE of the owner/author's permission. Theft, pure and simple.
Posted by domainworldaccess, 01-10-2008, 11:12 PM
We disagree again. I consider being called the spreader of lies an insult. But then you have not been able to keep a straight rudder through this whole discussion. Keep talking, Tom. Just keep talking. I did as you suggested o-so-many times. I asked Matt for some information. I have heard nothing from him. Maybe you are Matt! Now wouldn't that be a hoot!
Posted by whmcsguru, 01-10-2008, 11:31 PM
Well, gee, then maybe you should STOP SPREADING LIES! If you can't handle the truth, then change it. I don't care what you 'consider' to be an insult, if it's the truth, then it's the truth, not an 'insult'. Spreading rumours and lies such as : doesn't HELP situations, it creates them and inflates them. If you don't know, don't speak, pretty simple. This is how rumours get started. Matt's a smart man. Given the damage your posts have done, I wouldn't reply either. Given your attitude and demanding 'I want more' nature, again, I wouldn't either. Umm, no. Nice try though.
Posted by Annex, 01-10-2008, 11:47 PM
See these are great examples of a "I need to be the best, I need to win" type of attitude, which is commonly seen amongst male children approximately 12 years old. Since you are acting quite like that it would make sense that you would be the same age, don't make me link every other post where you claimed to know more information or act as though you are better or know more than everyone else, because that would probably exceed the post size limit in vB. Alone in this thread it was done a multitude of times, even alone on this vary page (or the one before if this post is a new page). Furthermore what do you know about law, if you claim my friend is wrong, show us your law credentials that you can base the statement upon, if you refuse, you obviously must revoke your statement and stop making such ignorant statements about things. While your at that, quote some law that states that the decryption of source codes for viewing purposes is illegal. Please do. As for acting childish, you have plenty of times, make more accusations and posts about how great you are oh great one.
Posted by domainworldaccess, 01-10-2008, 11:48 PM
Incomplete quotes on a therad with the actual post in it? You are really rising to new heights. Have a nice life. Joe
Posted by whmcsguru, 01-10-2008, 11:56 PM
I don't have to show you anything, and credentials can be faked. I was merely making a point. If you don't want to admit that point, then that's your problem not mine. If you're CAUGHT in posession of a stolen item, then you're guilty of theft. PERIOD, end of statement. If you're caught with an illegal substance, then you're guilty of posession of said illegal substance. Really simply, it comes down to this: Did you buy said source code from the proper individual (ie: Matt)? If you did NOT, then you stole it from Matt, and are in posession of property that was stolen. A quote that was made multiple times by yourself, attempting to spread panic, conjecture and lies.
Posted by domainworldaccess, 01-11-2008, 12:02 AM
Tom, you can not interpret writing nor read minds. You are making a patent statement about my intentions, about which you know nothing. Who is spreading conjecture any more than you? It is apparent you are deluded into thinking this is the Supreme Court and that WHMCS is the defendant and you are the star defense attorney. Tom, wake up. It is not. This is a forum for professionals who like to get together and talk shop. Sometimes the talk runs to silly fun in the midst of a crisis. It's going to be OK. The sun will rise tomorrow. Seek professional help my man.
Posted by whmcsguru, 01-11-2008, 12:15 AM
Actually, this forum is full of individuals who act unprofessionally and call themselves professionals. This thread is a perfect example of that. Attacking an individual for their choices is haardly 'professional'. Attacking an individual for a misstatement is hardly 'professional'. Spreading rumours (ie: In my opinion, it was an inside job), hardly 'professional'. Again, if you DON'T know of which you speak, keep your mouth shut. That is how rumours get started. Intentional, unintentional, it doesn't matter. If you don't know, don't speak. No need, I'm fine, thank you. Just because I'm (quite vocally) defending a program I've used, and someone I have done business with over the past couple of years doesn't mean I need to seek help.
Posted by domainworldaccess, 01-11-2008, 12:30 AM
You are right, Tom. Those clothes don't make you look fat. IT'S THE FAT THAT MAKES YOU LOOK FAT! aswingandamiss
Posted by IH-Chris, 01-11-2008, 12:32 AM
you better read your own threads Tom. You are starting to get ridiculous. In your mind you are always right. I can't count the threads on both hands when I left with a grin on my face with my own onions. You have one point to prove here and it's obvious it ain't happening. Just let the thread die already. Our point is known and probably would'nt have gone as far as it did if you would quit trying to candy coat this. It's not ok, it's not a simple "apache" exploit. Did Matts home box get hacked to initiate this Mr Great one? Who cares at this point. Mat has one option.. clean it up. You trying to make it seem better than it really is will only make this worse by people proving you wrong. Unfortunately Matt is being used as an example since you act like you know it all. You may know some, but others know it all. it's better than way Just be done with it. Let's say goodbye and talk another time when Matt fixes his application. Rub in our face then, honestly I hope that day comes soon. Not for my sake, but for the thousands of users that are unwillingly taking the risks. Matt, thanks for your reply. It helps the situation for what it is worth.
Posted by domainworldaccess, 01-11-2008, 12:37 AM
At least we are all in agreement now.
Posted by whmcsguru, 01-11-2008, 01:28 AM
Ahh, so you know all, right? You know more about the situation than someone who, say, has talked to Matt about it? Of course, I'm sorry, my apologies. A> It IS ok B> It WAS an 'apache exploit' in the eyes of the developer. Just because you can't get it through your skull that not everyone understands 'apache' is just 'apache' that doesn't mean he's wrong! That doesn't make HIS statement wrong, because, in his eyes, that's what it was, an apache exploit. Quit being so ignorant Again, I never said it was just an 'apache exploit', in fact, I said that it could have been (and should have been) worded better, more than once, but to say that I'm candy coating something, well, you've got your facts wrong. And again, I've said this a number of times as well. Sure, stop posting ridiculous, flamatory garbage, and I'll stop replying. Simple enough. The only thing I've done here is to make statements that contradict incorrect assumptions, allegations, guesses, and rumours, because the WHT mob tends to take those rumours and run with them. This thread is a classic case in point. What should have been a mild discussion turned into pages of garbage, because particular individuals started posting wild rumours, conjecture, and their own 'personal opinions' of what happened, and started making ridiculously outrageous demands which they had no place to make
Posted by IH-Chris, 01-11-2008, 01:37 AM
You said it, not me. He said, you said. It don't matter. You being an admin should no better. Face it, you don't know it all, you proved that to me personally. The rest just fits your character. Unfortunately I'm getting tired and grouchy. Good night WHT. In hopes this thread will die. I wont respond no more.
Posted by Annex, 01-11-2008, 01:42 AM
Oh so you buy a new car, is it illegal to look at the engine? Nope. You buy some software and you decrypt it, is it illegal? Nope, but Matt will revoke your license and if you use it unlicensed, that is theft, looking at the source code isn't theft because I did buy it (hypothetically speaking, I personally never actually did buy it), albeit its in an encrypted format.
Posted by Annex, 01-11-2008, 01:44 AM
Unfavorable characteristics are often the hardest things to get people to acknowledge. Furthermore, its nearly impossible to get them to change the characteristics.
Posted by domainworldaccess, 01-11-2008, 01:45 AM
Hey Tom: You first, pal. Walk away. Last edited by domainworldaccess; 01-11-2008 at 01:48 AM.
Posted by jon-f, 01-11-2008, 03:05 AM
Are there any other billing scripts that has an import module for WHMCS? Like to migrate a WHMCS system over? I think just after the way this was handled with that email and all I am ready to switch but would really like to be able to import.
Posted by domainworldaccess, 01-11-2008, 03:14 AM
Last I heard was not yet. Modern Bill is working on one according to a post on their site. Frankly I was hoping this would get handled better, because i _LOVE_ WHMCS; but after 2 emails and no response from Matt, I am also at the tipping point since he has still never disclosed the nulling of his code, that I am aware of... Not a good way to keep people on your side...
Posted by jjungling, 01-11-2008, 03:22 AM
I'm 2/3's the way through a conversion to whmcs, after reading this thread I'm now looking for another package. I've done AWBS and an old version of ModernBill and now have no clue where to go. Any suggestions? John
Posted by SBHS-Scott, 01-11-2008, 08:02 AM
I'm in the same boat... working on one site, was planning on doing another one after that. Personally I hope that Matt will release a new version soon that has addressed the bad code. I've tried AWBS and MB before and neither worked well for me. I'm currently using Clientexec, which I can't tolerate much longer..
Posted by bear, 01-11-2008, 08:07 AM
When you buy a license to WHMCS, this EULA covers the license purchased: Of course, I'm not lawyer, but it sounds to me from part a that you aren't allowed to decompile it...as in unencrypt. Since an EULA is a type of contractual agreement, I'd suggest it is indeed illegal to do so.
Posted by StevenG, 01-11-2008, 08:56 AM
Well at least the developer is able to disable your license, whether it's illegal in your country or not. If you don't like EULA's - write your own software. linux-techs involvement in this thread, is mostly emabarrassing, for the record. Last edited by StevenG; 01-11-2008 at 09:01 AM.
Posted by TonyB, 01-11-2008, 09:03 AM
Well if I'm looking at that EULA correctly you're not allowed to reverse engineer, decompile, or disassemble the Software Application. But that falls under the guys who nulled the software and not the people viewing the source? The b part is also for the guy who originally did this. Finally the third is actually about modifying the source which no one is actually doing they're simply viewing it.
Posted by StevenG, 01-11-2008, 09:05 AM
If you're an honest person, you just won't rip off people. If your're not honest, you will find some loophole that gives you the ability to do so. I don't care really. As long as you can sleep at night and pray to god (your god or no god, whatever) that you did the right thing today, I couldn't care less.
Posted by Bilco105, 01-11-2008, 09:56 AM
I'm more embarrased about the behavour of particular other members of this thread to be honest. Hardly helping what is already quite a serious situation, by plain speculation and unfounded accusations.
Posted by StevenG, 01-11-2008, 10:01 AM
Yeah, we each pick our own, linux-tech has had a major involvement in this thread and expanded it way more than was needed. Maybe he got Matt to make a statement, I don't know, but he needs to leave it now, Matt's replied and quite frankly I'm bored of his responses.
Posted by domainworldaccess, 01-11-2008, 11:54 AM
Matt - Thank you.
Posted by ZoneServ.com, 01-11-2008, 12:02 PM
Sounds correct to me.
Posted by wonderpoint, 01-11-2008, 01:42 PM
wow! can't believe they trust user inputs so much. Even a beginner in web programming is taught not to trust anything thats coming from browser without proper validations. I am glad I don't use this software
Posted by ub3r, 01-11-2008, 02:42 PM
tom are you honestly going to tell me that looking at the source of a product you have no intention of using to verify how secure it is, you're honestly going to tell me that that is just as bad as theft? What's wrong with you man?
Posted by eger, 01-11-2008, 04:06 PM
I wish they could make a television drama about geeks and webhosting. Here is the pilot. linux-tech can be the star
Posted by dollar, 01-11-2008, 04:10 PM
As it looks like this thread has really gone off-topic it's time to