WHMCS Security Advisory for 5.x

[paradiseserver]

UPDATE 2: We have published 5.2.12 incremental and full versions. These include all security related enhancements as well as the missing file that triggers the version increment.

Please Note: if you downloaded 5.2.11, your update is incomplete. Please deploy 5.2.12 to ensure the software version increments properly. Version 5.1.13 was not affected by this packaging deficiency.

UPDATE: We've identified a missing file in 5.2.11 which causes the version number not to increment. All security related enhancements are present. We will be updating this post again with version 5.2.12 which will contain the complete change set. Thank you for you patience.

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical & important security impacts. Information on security ratings is available atSecurity Levels - WHMCS Documentation

Releases
The following patch release versions of WHMCS have been published to address all known vulnerabilities:
v5.2.12
v5.1.13


Security Issue Information

These updates resolve the following issues:

> Information disclosure via the client area as published by 'localhost'
> HTTP Split Attack discovered by the WHMCS Development Team
> SQL Injection Vulnerability discovered by the WHMCS Development Team
> Privilege boundaries not being enforced on addons reported by Vlad C of NetSec Interative
> Download directory traversal reported privately by an individual
> Lack of input validation in data feeds input discovered by the WHMCS Development Team
> Deficient Null Byte sanitization on input discovered by the WHMCS Development Team

Important Fix Information

These updates also include the following non-security related functional fixes:

> Improved validation of monetary amounts
> Moneris Vault Gateway compatibility update
> Credit cards not processing under certain conditions
> Correction to internal logic for testing Authorize.net payment gateway


Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.12 (full version) - Downloadable from the WHMCS Members Area
MD5 Checksum: fd2500df9068b7c00a9452ef31cfd522

v5.2.12 (patch only; for 5.2.10 or 5.2.11 ) - http://go.whmcs.com/254/5212_incremental
MD5 Checksum: dbf1f18f98c14d5f212f6e4bc249cca6

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.13 (patch only; for 5.1.12) - http://go.whmcs.com/250/5113_incremental
MD5 Checksum: e06d0033c388a8f2c43e24134fe8bd63

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.



All versions of WHMCS are affected by these vulnerabilities, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

Long Term Support - WHMCS Documentation



This Security Advisory is in the process of being emailed to all active license holders.
Posted by Matt on Friday, October 25th, 2013

[yassale]

این whmcs دیگه رو اعصابه هر روز یه آپدیت میده بیرون حداقلم نمیاد یه چی بزاره مثل وردپرس راحت آپدیت شه.

[webhosts]

شاید بعضی دوستان نتوانند این را از whmcs دانلود کنند. برای همین پچ را قرار دادم.
برای دانلود مستقیم این پچ به http://www.webhostingtalk.ir/f176/95592/ مراجعه کنید.