Security Advisory 2020-01-28 - Revision history

Matt: /* Apache Web Server Software */

2020-01-28T19:20:07Z

‎Apache Web Server Software

Matt: /* Other Web Server Software */

2020-01-28T15:15:06Z

‎Other Web Server Software

Matt: /* Other Web Server Software */

2020-01-28T15:14:14Z

‎Other Web Server Software

Matt: /* How to tell if you're affected */

2020-01-28T14:05:02Z

‎How to tell if you're affected

Matt: Created page with "==About the vulnerability== A potential security vulnerability exists when htaccess directives are not enforced appropriately for WHMCS. WHMCS ships with a vendor directory..."

2020-01-28T13:58:15Z

Created page with "==About the vulnerability== A potential security vulnerability exists when htaccess directives are not enforced appropriately for WHMCS. WHMCS ships with a vendor directory..."

New page

==About the vulnerability==

A potential security vulnerability exists when htaccess directives are not enforced appropriately for WHMCS.

WHMCS ships with a vendor directory which should not be publicly accessible. By default a .htaccess file is provided which in most cases would be sufficient to direct the web server to disallow web based access to files in that location. nginx in particular will not honor that directive.

We have recently become aware of malicious actors scanning the internet for vulnerable web server configurations that host WHMCS installations. Improperly configured web servers could allow an unauthenticated, remote attacker to access sensitive WHMCS data.

As a result, we are rating the severity of this issue as critical.

This advisory was published on 28th January 2020.

==Affected versions==

WHMCS 6.0 and later

==How to tell if you're affected==

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

<div class="source-cli"><nowiki>https://www.example.com/path/to/whmcs/vendor/composer/LICENSE</nowiki></div>

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded [b]here***[/b].

To use the tool, simply upload it to the root directory of your WHMCS installation and then visit in a browser or run from the command line. The tool will confirm if you are affected.

==How to fix the vulnerability==

The solution depends upon your web server environment and various configurations.

===Apache Web Server Software===

Apache is the recommended web server software platform to run WHMCS on. By default a .htaccess file is provided which in most cases should be sufficient to direct the Apache web server to disallow web based access to files within the vendor directory.

If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

===Other Web Server Software===

While other web server technologies are not officially supported, we understand that some users do wish to run WHMCS in environments other than Apache.

For those that do, you must ensure that files within the /vendor/ directory are not served based on your web server configuration.

To help with this, we have made available the following help resources:

'''LightSpeed'''

LiteSpeed uses the same configuration format as Apache HTTP Server and is compatible with most Apache features, including .htaccess files. The default .htaccess file provided should in most cases be sufficient to direct the LightSpeed web server to disallow web based access to files within the vendor directory.

If you are running LightSpeed and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your LightSpeed configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

'''Nginx'''

A detailed guide for how to restrict access to directories with nginx has been made available at https://docs.whmcs.com/Nginx_Directory_Access_Restriction

'''Microsoft IIS'''

To restrict access to directories on IIS systems, perform the following steps:

# Open IIS Manager
# Navigate to Web Sites\<your website>\vendor
# In the right pane, double-click “Authentication"
# For “Anonymous Authentication”, choose “Disabled”
#Restart IIS

'''Others'''

If your web server software is not listed here, please consult with your server administrator or contact our technical support team for further advice.

==Technical Support==

WHMCS understands that customers may have questions about this vulnerability or need assistance in determining if they are affected, and we are ready to assist as needed. For support on this issue, please [https://www.whmcs.com/submit-a-ticket open a support ticket].

@@ Line 45: / Line 45: @@
 '''LiteSpeed'''
-LiteSpeed uses the same configuration format as Apache HTTP Server and is compatible with most Apache features, including .htaccess files. The default .htaccess file provided should in most cases be sufficient to direct the LightSpeed web server to disallow web based access to files within the vendor directory.
+LiteSpeed uses the same configuration format as Apache HTTP Server and is compatible with most Apache features, including .htaccess files. The default .htaccess file provided should in most cases be sufficient to direct the LiteSpeed web server to disallow web based access to files within the vendor directory.
-If you are running LightSpeed and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your LightSpeed configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.
+If you are running LiteSpeed and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your LiteSpeed configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.
 '''Nginx'''

@@ Line 33: / Line 33: @@
 Apache is the recommended web server software platform to run WHMCS on. By default a .htaccess file is provided which in most cases should be sufficient to direct the Apache web server to disallow web based access to files within the vendor directory.
-If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.
+If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, has appropriate ownership and permissions, and that it contains the following directive:
 ===Other Web Server Software===

@@ Line 43: / Line 43: @@
 To help with this, we have made available the following help resources:
-'''LightSpeed'''
+'''LiteSpeed'''
 LiteSpeed uses the same configuration format as Apache HTTP Server and is compatible with most Apache features, including .htaccess files. The default .htaccess file provided should in most cases be sufficient to direct the LightSpeed web server to disallow web based access to files within the vendor directory.

@@ Line 21: / Line 21: @@
 <div class="source-cli"><nowiki>https://www.example.com/path/to/whmcs/vendor/composer/LICENSE</nowiki></div>
-A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded [b]here***[/b].
+A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded '''[https://www.whmcs.com/download/1329/security_advisory_20200128_verification_tool.zip here]'''.
 To use the tool, simply upload it to the root directory of your WHMCS installation and then visit in a browser or run from the command line. The tool will confirm if you are affected.