WHMCS Security Advisory 2020-01-28 & actual help for lighttpd (impacts apache & nginx also)

AnthonySmithAnthonySmith AdministratorHosting Provider
edited January 28 in Industry News

From WHMCS:

Hello,

We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.

Affected Versions

WHMCS 6.0 and later

How to tell if you're affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE
A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

How to fix the vulnerability

Please follow the instructions provided in the detailed security advisory:

WHMCS Security Advisory 2020-01-28

WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.

Kind regards,
WHMCS

The lighttpd advice given is usless so incase it helps anyone using it:

What you actually want is to add the following to your lighttpd.conf:

# deny access to /vendor
$HTTP["url"] =~ "^/vendor/" {
     url.access-deny = ("")
}

Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
Please do not use the PM system here for Inception Hosting support issues.

Thanked by (1)uptime

Comments

  • oi you got a license for that license mate?

    Thanked by (3)AlwaysSkint WSS dahartigan
  • edited January 28

    I think it is only intended to show LICENCE as an example: who the hell cares that someone can read that? Any mitigation shouldn't just be focussed on that one file, I suspect.

    Dunno, but perhaps more appropriate..
    [code]

    deny access to composer

    $HTTP["url"] =~ "^/vendor/composer/" {
    url.access-deny = ("")
    }
    [/code]

    EDIT5: give up on trying to format this post :'(

    Where's the ignore setting?

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    lol, i take things so literal I am sure I have never diagnosed Asperger syndrome or something.

    Thanked by (2)AlwaysSkint dahartigan

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • edited January 28

    Strangely, just this morning, I was thinking about the setting that allows WHM/cPanel to check how many levels down for .htaccess - I normally change from the default of two, to three.
    Haven't noticed any similar setting on any of the other control panels nor nginx etc.

    Where's the ignore setting?

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    Post updated with common sense applied :) cheers @AlwaysSkint

    Thanked by (2)AlwaysSkint vimalware

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • Interesting to see people still running lighttpd. Such a shame that the project has been nearly abandoned, loved it a decade ago.

    Thanked by (1)flips
  • AnthonySmithAnthonySmith AdministratorHosting Provider

    WHMCS just notified me by ticket that it is in fact the entire /vendor folder

    Might be me but that really was not apparent from the email or docs.

    Thanked by (1)SmallWeb

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • MikeAMikeA Hosting ProviderOG

    @AnthonySmith said:
    WHMCS just notified me by ticket that it is in fact the entire /vendor folder

    Might be me but that really was not apparent from the email or docs.

    They do not know the actual root cause of the problem, they are just blanketing the situation in the email.

    Thanked by (3)WSS SmallWeb dahartigan
  • @AnthonySmith said: entire /vendor folder

    Don't use WHMCS, so I could only speculate. ;)

    Where's the ignore setting?

  • WSSWSS Retired

    @MikeA said:
    They do not know the actual root cause of the problem, they are just blanketing the situation in the email.

    My guess is some weirdo Smarty hook or some retarded unsanitized file_get_contents() which relies on allow_url_fopen from some code that dates back to 20 years ago. That's usually the cause.

    Thanked by (1)vimalware

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • ionswitch_stanionswitch_stan Hosting ProviderOG

    This also impacts NGINX users.... @AnthonySmith would you mind extending the topic to state its basically any HTTP with a stock config that is NOT apache. Even apache users should validate they arent exposing /vendor.

    Thanked by (1)vimalware

    Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018

  • AnthonySmithAnthonySmith AdministratorHosting Provider

    done

    Inception Hosting - 256MB OpenVZ VPS back in stock for €8.00 p/year - DEDICATED IP4 + /64 IPv6 https://clients.inceptionhosting.com/cart.php?a=add&pid=177
    Please do not use the PM system here for Inception Hosting support issues.

  • vpsgeekvpsgeek OG
    edited January 28

    https://fortiguard.com/encyclopedia/ips/45765/phpunit-eval-stdin-php-remote-code-execution

    That vulnerability was disclosed in 2017 so it is WHMCS being busy working out a new price increase lazy

    Only thing their owners are interested in is money & don't give a single ***k about security

    Recommend: SmallWeb|BuyVM|Linode|RamNode

  • How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

Sign In or Register to comment.