LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Hostus is Being Appropriately Cautious: Stupid WHMCS Third Party Templates...

Nazgûl HackerHostus customers started receiving this email yesterday.  I got mine today:

We regret to inform you about a security breach that has happened with our WHMCS client billing system (my.hostus.us) caused by a recent security vulnerability identified in our WHMCS theme Lagom Client Theme, which has led to unauthorised access to our WHMCS database by a hacker. We must acknowledge the possibility that the data accessed during this breach could potentially be misused. We cannot guarantee with absolute certainty that the data that was accessed will remain secure. Therefore, we urge you to implement all necessary precautions to protect your account, services and systems.

If your service (VPS, Shared hosting etc) account password was not changed from the original password that the service was set up with please change it immediately. Please also change your HostUS Customer account password via my.hostus.us We sincerely apologise for any inconvenience this may have caused. Please understand that we are doing everything within our power to assist and support you during this time.

We are currently producing a full transparency report to provide to our customers. It’s with great sadness that this has happened. It’s with great sadness that I send you this email, please be assured we are doing everything in our power with this situation.

You’d think that for $149 per domain, RS Studio could afford a security audit.

I am not a Hostus customer at present but tried them a few times in the past and generally had a good experience.  A shame this happened to @AlexanderM’s company.  They’ve been active in our community for a long time and have earned a good reputation.

And it seems that they are acting out of an abundance of caution, which is a very responsible approach.  RS explains the issue:

About the Security Issue

The issue pertains to a specific function that allowed customers to upload image files (PNG, JPG, SVG, and GIF) when logged into the WHMCS client area. This function used PHP MIME type checks to ensure only these image formats could be uploaded. However, we have discovered that the MIME function’s security measures are not entirely foolproof.

It has come to our attention that skilled hackers could exploit this function. They could bypass the intended restrictions by executing a particular URL, allowing them to upload a PHP file. This vulnerability poses a significant security risk.

We want to assure you that this function was never utilized in the Lagom Client Theme. As a precautionary measure, we have completely removed this function from the addon files to eliminate any potential risk.

Amusingly, googling for “Lagom WHMCS hack” leads to a WHT thread, which points to LowEndTalk for more information.

BTW, I picked the image for this article because it looks like a Nazgûl hacking someone’s web site, and that amused me.



  1. > They could bypass the intended restrictions by executing a particular URL, allowing them to upload a PHP file.

    Why is the image upload feature storing files in a directory that can execute code??? That’s one of the most basic security features of an upload feature: ALWAYS store user-uploaded files in a completely different folder away from any executable code. Also, check the actual type of the file (e.g. using magic bytes like the Linux “file” command) rather than relying on MIME type or extension, as both are provided by the client and could be modified.

    February 18, 2024 @ 7:57 pm | Reply
  2. Jaxx:

    > it looks like a Nazgûl hacking someone’s web site
    This is also the reason I had to click through from the email.

    Meanwhile, and maybe this is just me, but typically themes don’t add functionality to a file upload field, only style it. It’s a shame when a theme thinks it’s also a plugin. In this case, a rather sad shame.

    February 18, 2024 @ 9:19 pm | Reply
  3. Best informative post. Thank you very much.

    February 23, 2024 @ 8:22 am | Reply
  4. Kalle:

    Are you able to log into the client area?

    February 23, 2024 @ 5:34 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *