WHMCS Security Advisory for 4.5, 5.0, 5.1, 5.2

http://blog.whmcs.com/?t=73290
========================================

WHMCS has released new patches for the 4.5, 5.0, 5.1 and 5.2 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as including critical or important security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels

Releases

The following full-release versions of WHMCS have been published and address all known vulnerabilities:
5.2.5

The latest public releases of WHMCS are available inside our member’s area at https://www.whmcs.com/members/clientarea.php

Security Issue Information

The Targeted Security Release and Patch updates for 4.5, 5.0, and 5.1 resolve an issue of unsanitized information being used in a SQL query. Using a crafted URL,
an attacker could perform an SQL Injection.

The Targeted Security Release and Patch update for 5.2 addresses a security enhancement regression discovered in 5.2.3 and 5.2.4. This regression is not
related to the itemized vulnerability mentioned for 4.5, 5.0, and 5.1. The regression was identified internally and is not a candidate for public
disclosure.

Mitigation

——————
WHMCS Version 4.5
——————

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected version of the 4.x series is located on the WHMCS site as itemized below.

• v4.5.5 (patch only) — http://www.whmcs.com/download/302/v455patch

To apply the patch, simply download the appropriate patch file specific to the WHMCS version you are running, extract the contents, and upload the files from
the /whmcs/ folder to your installation.

No install or upgrade process is required.

——————
WHMCS Version 5.x
——————

Download and apply the appropriate full-version or patch of WHMCS to protect against these vulnerabilities.

Patch files for affected version 5.x are located on the WHMCS site as itemized below. A full-version of 5.2.5 is located in the WHMCS member’s area download
section, under your license details.

• v5.0.6 (patch only) — http://www.whmcs.com/download/306/v506patch
• v5.1.7 (patch only) — http://www.whmcs.com/download/310/v517patch
• v5.2.5 (patch only) — http://www.whmcs.com/download/314/v525patch
• v5.2.5 (full-version) — Available in the members area

When updating from v5.0.5, v5.1.6, or v5.2.4 you can use the patch file and the upgrade process is not required. Simply download the appropriate file specific
to the WHMCS version you are running, extract the contents, and upload the files from the /whmcs/ folder to your installation.

If running any other version you should apply the full-version, simply download the file from our member’s area and then follow the regular upgrade instructions
which can be found at http://docs.whmcs.com/Upgrading

WHMCS Limited
www.whmcs.com

• Support: http://support.whmcs.com/
• Documentation: http://docs.whmcs.com/
• Members Area: http://www.whmcs.com/members/

We’ve made it extremely easy for you to build a stunning website and get online in a matter of minutes…with no technical skills. Although, if you have questions, our knowledgeable and friendly customer support team is here 24/7.

Here’s a taste of what Website Builder v7 offers:

• Hundreds of pre-built, content-rich template designs
• Thousands of captivating images
• Easy, interactive drag-and-drop interface
• Flexible tools to build without constraints
• Automatically optimized for smartphones, tablets, and desktops
• Free hosting and  99.9% uptime

Whether you just need a small business site, are preparing for future growth, or are established and need more flexibility and power, there’s a plan for you. And all annual plans include a free domain. Learn more »

Already have Website Builder? Soon, we’ll seamlessly upgrade all existing accounts to version 7 so you can start taking advantage of the new features.

The simplified terms let you earn an increased commission on almost all products. Your earning potential has never been better!

Base Commission:

• 40% revenue share for new customers’ orders (first-time purchasers)
• 10% revenue share for existing customers’ orders

Hosting Commission:

• $105 on new customers’ 12-month hosting plans
• $27.50 on existing customers’ 12-month hosting plans

We thank you for your continued promotion of Go Daddy. Partners like you have helped us become the world’s largest domain name registrar. Our Affiliate team is committed to your continued success.

Please feel free to contact us at AffiliateProgram@GoDaddy.com if you have any questions.

To start using your email account, simply set up your personalized email address by following our easy instructions.

Once you create your email, you can log in to Web-Based Email at email.secureserver.net to send and receive email messages.

If you prefer to use a third party email client or your mobile device, we can help you out with that as well:

• Apple iPad
• Apple iPhone
• Auto-Setup for Apple devices
• Microsoft® Surface tablet
• Android devices
• Microsoft Windows® phone
• BlackBerry
• Apple Mail
• Microsoft Entourage
• Eudora
• Microsoft Outlook
• Microsoft Outlook Express
• Mozilla Thunderbird
• Hosted Exchange

Outlook Easy Setup makes it even easier if you’re using Outlook on a PC and your domain is registered with us!

So, what are you waiting for? Get it set up and start using your personalized email address today!

This is an industry-wide decision, not one specific to our company.

On July 1, 2012, we stopped accepting new requests, rekeys or renewals for SSL certificates that contain intranet names or IP addresses and are valid beyond Nov. 1, 2015. If you have an existing certificate that contains an intranet name and/or an IP address, you can continue to use that certificate until it expires or until October 1, 2016, whichever comes first.

For more information, see Phasing Out Intranets and IPs in SSLs.

A Better way to Back up, Store, and Share Your Files
Online Storage makes it easy for you to back up, store, and share your files in the cloud. It’s like having your own personal network drive!

• Bypass email attachment limits with links to the files you want to share
• Great for documents, photos, music, and more
• Access your data from any online computer or even your smartphone

Create a URL to Link to Your Shared Files
With our latest update, you can create a “files.” subdomain for your Online Storage account. If your domain name is registered with Go Daddy, and you’re using Online Storage, it’s easy to quickly set up your subdomain so you can:.

• Provide users with an easy-to-remember link to files
• Use a branded URL with your own domain name
• Upload files using FTP

Secure and Affordable File Storage Solution
Now you can stop taking up valuable space in your hosting account, on your computer’s hard drive, in your email account, or wherever it is that you’re storing your data. Start using Online Storage to conveniently store and easily share files with your own files.yourdomain.com URL.

So, what are you waiting for?

Getting Started

Log in to your Quick Shopping Cart account, go to Set Up => Store Preferences => General tab, and select Enable Sharing in the Social Media section. From here, you can:

• Select from 5 Share Button Styles
• Add their Facebook® and Twitter® accounts to display
• Click Share to select social media apps

Getting to that 300+

We’ve presented a few of the most popular social apps, but you can click More, or just click the Share button, to see all available apps. You can add any of the apps individually, but the real “Wow” is in the ability to Sign In to AddThis and create a single login to all the apps you choose.

For more information about getting around in the new category manager, see Adding Social Media to Quick Shopping Cart.

Understood around the world as an abbreviation for company, corporation, or commerce, .co domain names are easy to recognize, simple to remember, and flexible to use.

See About .co Domain Names and Registering .co Domain Names for more information.

Parallels Plesk Panel 9.x, 10.x, 11.x – Privilege Escalation Vulnerability

Parallels Customer,
Please read this message in its entirety and take the recommended actions.

Situation

Parallels Plesk Panel privilege escalation vulnerabilities have been discovered and are described in VU#310500 and CVE-2013-0132, CVE-2013-0133 (CVSS score 4.4 – http://www.kb.cert.org/vuls/id/310500).

Impact

This impacts Parallels Plesk Panel for Linux versions 9.x, 10.x, 11.x.

You are at risk if you have Apache web server running mod_php, mod_perl, mod_python, etc.

You are NOT at risk if you have Apache web server running Fast CGI (PHP, perl, python, etc.) or CGI (PHP, perl, python, etc.).

Solution

Parallels has issued security updates for Parallels Plesk Panel versions 9.x-11.x. The security updates for Parallels Plesk Panel 11.x and Parallels Plesk Panel 10.4.4 will automatically appear inside your Parallels Plesk Panel control panel – please apply them as soon as possible.

The security hotfix for Parallels Plesk 9.x is available for download here: http://kb.parallels.com/115942.

Workaround

Parallels understands that it’s not always practical for immediate upgrades, so we have provided a solution to fix this vulnerability. For the immediate solution, customers should read this knowledge base article for instructions: http://kb.parallels.com/115942.

Parallels takes the security of our customers very seriously and encourages you to take the recommended actions as soon as possible.

Customers are also strongly encouraged to subscribe to our support e-mails by clicking here, subscribe to our RSS feed here and add our Knowledge Base browser plug-in here.