WHMCS Security Advisory

Miguel · January 28, 2020, 4:44pm

Hello,

We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.

Affected Versions

WHMCS 6.0 and later

How to tell if you’re affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here .

How to fix the vulnerability

Please follow the instructions provided in the detailed security advisory:

WHMCS Security Advisory 2020-01-28

WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.

Kind regards,
WHMCS

https://www.whmcs.com/members/mailings/?k=security-advisory-2020-01-28

https://docs.whmcs.com/Security_Advisory_2020-01-28#How_to_fix_the_vulnerability

Jarland · January 28, 2020, 5:46pm

This is why not using Apache should be done carefully and with much consideration and effort. Still so many apps ship with their security measures in a default .htaccess file.

Miguel · January 28, 2020, 6:06pm

Agreed, but the vendors folder shouldn’t be public in first place despite if there’s a .htaccess or not.