WHMCS has rated these updates as having critical security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels
Releases
The following patch release versions of WHMCS have been published to address a specific privilege and SQL vulnerabilities:
v5.2.10
Security Issue Information
These changes resolve security issues identified by public disclosure. The follow security issues have been addressed within the latest patches:
- Missing Cross Site Request Forgery Token checks for certain operations related to Product Bundles and Product Configuration
- SQL Injection viable due to improper validation of expected numeric data
- Enforce privilege boundaries for particular ticket actions
Important Fix Information
These changes also include important functional fixes that were produced from previous security patches:
- Mass mail client filter excluding users set to default language
- Admin clients list displaying multiple instances of the same record in certain conditions
- Prevent user input from manipulating IP Ban logic
Mitigation
WHMCS Version 5.2.10
Download and apply the appropriate patch files to protect against these vulnerabilities.
Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.
v5.2.10 (full version) - http://billing.webhostingzone.co.za/dl.php?type=d&id=15
v5.2.10 (patch only; for 5.2.9 ) - http://go.whmcs.com/242/5210_incremental
To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.
All versions of WHMCS are affected by this vulnerability, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.
Monday, October 21, 2013