Special thanks to Dustin Cisneros, CEO of RackNerd (who goes by @dustinc) from RackNerd for sharing this tip with the LEB/LET community, considering many community providers here utilize WHMCS. The link to the LowEndTalk post by Dustin from RackNerd is here. He also shares a MySQL command (mentioned below) to check if you were most likely impacted by this vulnerability before.
If you’re not a provider or WHMCS user, why not check out RackNerd’s latest offers, which include VPS systems starting at only $11.38/YEAR?
On June 20, 2023, WHMCS silently published a security update on their blog without any sort of email announcement or social media announcement. Nothing on Facebook, nothing on Twitter, nothing on LinkedIn… nada. Almost like everyone will be actively checking and refreshing the WHMCS blog on a daily basis, am I right? /s
WHMCS words this as “An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.” Yikes.
Okay. So in other words, it allowed bad actors to mark invoices that weren’t actually paid, as paid. This meant providers that relied heavily on automation and did not audit their transactions could have potentially lost some revenue.
And of course, it was followed by corporate speak by WHMCS, classic. “Further details about these issues will not be disclosed at this time.”
In short… update your WHMCS to the latest version, or follow the patch set instructions mentioned at https://blog.whmcs.com/133735/security-update-2023-06-20
Now if you’re looking for a WHMCS alternative, Clientexec is worth considering. On that note, RackNerd provides free Clientexec licenses for all active RackNerd clients. Pretty neat.
Original Post/Details by Dustin at RackNerd
For providers here using WHMCS, recently on June 20, 2023, WHMCS silently published a security update on their blog without any sort of email announcement or social media announcement. This affects all WHMCS versions prior to that date.
According to WHMCS, the security update is described as: “An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.”
While not exactly client impacting, this could have resulted in lost revenue for providers, as it essentially allows bad actors to falsely mark invoices as paid, when it in fact was not.
To patch yourself from this vulnerability going forward, update your WHMCS to the latest version, or follow the patch set instructions mentioned at https://blog.whmcs.com/133735/security-update-2023-06-20
How to Check If You Were Previously Affected
The best way to check is by comparing payments made to you (within your merchant accounts) against the paid invoices within the WHMCS system.
Our team at RackNerd found that this vulnerability usually involves one invoice ID being factually paid and another unpaid invoice ID sharing the same transaction ID as the paid invoice. Typically, if there’s malicious intent, a smaller invoice will be actually paid, with a larger invoice falsely marked as paid using the same transaction ID.
ATTN Providers:
To assist you further (which should not be a substitute for manually auditing, but still helps point you towards the right direction), our development folks at RackNerd have created an SQL query that you can run within your WHMCS database. This will help identify any duplicate transaction IDs that may exist within your WHMCS database. The query below is read-only and does not write any changes to your database, but we still recommend taking a backup before running any MySQL operations.
SELECT a.* FROM tblaccounts a JOIN ( SELECT transid FROM tblaccounts WHERE transid IS NOT NULL AND transid <> ” AND description NOT LIKE ‘%Refund%’ GROUP BY transid HAVING COUNT(transid) > 1 ) b ON a.transid = b.transid WHERE a.transid IS NOT NULL AND a.transid <> ” AND a.description NOT LIKE ‘%Refund%’;
After running the above query, sort by date (newest to oldest) and examine the “invoiceid” and “transid” columns. If you notice a “transid” being the same on different invoice IDs, you might want to manually check to see if that was intentional.
While WHMCS did not release specifics regarding the vulnerability as they mentioned “Further details about these issues will not be disclosed at this time”, our observations suggest that it mainly affects providers using WHMCS in conjunction with Stripe.
Related Posts:
- COMMUNITY NEWS: RackNerd LLC, Global IaaS Provider, Expands European Footprint with New Dublin, Ireland Datacenter - November 16, 2024
- Hey Providers – Want Some FREE Advertising During the SuperBowl? - November 14, 2024
- Inception Hosting is Closing Its Doors - November 12, 2024
LOL why to thank Dustin for this, WHMCS has already sent an email about it. It looks like Dustin wants to grab attention all the time and saying he has found something.
Hi LOL — I’m always all for sharing knowledge and helping others rather than withholding information, but more importantly this was simply about spreading awareness to other providers considering many here utilize WHMCS. Since releasing this post, I’ve been hearing inconsistent reports on whether the email was received or not. Some folks confirmed they got it while others, like us, didn’t receive anything. On our end, we didn’t get anything, see screenshot: https://i.ibb.co/sVHW93q/WHMCS-email-history.png
My guess is that there might have been some inconsistency or glitch in their mass mail, preventing it from reaching all license holders.
Adding to the confusion, WHMCS hasn’t been exactly forthcoming with details on this issue, nor have they provided a proposed method for identifying if you’ve been previously affected. The SQL query and related solutions mentioned above, were created by us based on our experience and observations (and not WHMCS), just to be clear.
WHMCS customer for over 5 years here. Didn’t get a single communication about this till now…
Just updated and checked.
Thnx for sharing.