WHMCS Security Advisory 2020-01-28 & actual help for lighttpd (impacts apache & nginx also)

InceptionHostingInceptionHosting Hosting ProviderOG
edited January 2020 in Industry News

From WHMCS:

Hello,

We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.

Affected Versions

WHMCS 6.0 and later

How to tell if you're affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE
A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

How to fix the vulnerability

Please follow the instructions provided in the detailed security advisory:

WHMCS Security Advisory 2020-01-28

WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.

Kind regards,
WHMCS

The lighttpd advice given is usless so incase it helps anyone using it:

What you actually want is to add the following to your lighttpd.conf:

# deny access to /vendor
$HTTP["url"] =~ "^/vendor/" {
     url.access-deny = ("")
}
Thanked by (1)uptime

https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.

Comments

  • oi you got a license for that license mate?

    Thanked by (3)AlwaysSkint WSS dahartigan

    HS4LIFE (+ (* 3 4) (* 5 6))

  • AlwaysSkintAlwaysSkint OGSenpai
    edited January 2020

    I think it is only intended to show LICENCE as an example: who the hell cares that someone can read that? Any mitigation shouldn't just be focussed on that one file, I suspect.

    Dunno, but perhaps more appropriate..
    [code]

    deny access to composer

    $HTTP["url"] =~ "^/vendor/composer/" {
    url.access-deny = ("")
    }
    [/code]

    EDIT5: give up on trying to format this post :'(

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • InceptionHostingInceptionHosting Hosting ProviderOG

    lol, i take things so literal I am sure I have never diagnosed Asperger syndrome or something.

    Thanked by (2)AlwaysSkint dahartigan

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • AlwaysSkintAlwaysSkint OGSenpai
    edited January 2020

    Strangely, just this morning, I was thinking about the setting that allows WHM/cPanel to check how many levels down for .htaccess - I normally change from the default of two, to three.
    Haven't noticed any similar setting on any of the other control panels nor nginx etc.

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • InceptionHostingInceptionHosting Hosting ProviderOG

    Post updated with common sense applied :) cheers @AlwaysSkint

    Thanked by (2)AlwaysSkint vimalware

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • Interesting to see people still running lighttpd. Such a shame that the project has been nearly abandoned, loved it a decade ago.

    Thanked by (1)flips
  • InceptionHostingInceptionHosting Hosting ProviderOG

    WHMCS just notified me by ticket that it is in fact the entire /vendor folder

    Might be me but that really was not apparent from the email or docs.

    Thanked by (1)MichaelCee

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • MikeAMikeA Hosting ProviderOG

    @AnthonySmith said:
    WHMCS just notified me by ticket that it is in fact the entire /vendor folder

    Might be me but that really was not apparent from the email or docs.

    They do not know the actual root cause of the problem, they are just blanketing the situation in the email.

    Thanked by (3)WSS MichaelCee dahartigan
  • @AnthonySmith said: entire /vendor folder

    Don't use WHMCS, so I could only speculate. ;)

    It wisnae me! A big boy done it and ran away.
    NVMe2G for life! until death (the end is nigh)

  • @MikeA said:
    They do not know the actual root cause of the problem, they are just blanketing the situation in the email.

    My guess is some weirdo Smarty hook or some retarded unsanitized file_get_contents() which relies on allow_url_fopen from some code that dates back to 20 years ago. That's usually the cause.

    Thanked by (1)vimalware

    My pronouns are like/subscribe.

  • This also impacts NGINX users.... @AnthonySmith would you mind extending the topic to state its basically any HTTP with a stock config that is NOT apache. Even apache users should validate they arent exposing /vendor.

    Thanked by (1)vimalware

    Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018

  • InceptionHostingInceptionHosting Hosting ProviderOG

    done

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • vpsgeekvpsgeek OG
    edited January 2020

    https://fortiguard.com/encyclopedia/ips/45765/phpunit-eval-stdin-php-remote-code-execution

    That vulnerability was disclosed in 2017 so it is WHMCS being busy working out a new price increase lazy

    Only thing their owners are interested in is money & don't give a single ***k about security

    Recommend: SmallWeb|BuyVM|Linode|RamNode

  • How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

Sign In or Register to comment.