Knowledgebase

Petition to WHMCS reblogged

  1. #1
    tsiedsma is online nowBeta Testers
    Join Date
    Mar 2008
    Location
    Des Moines, Iowa
    Posts
    684

    Default Petition to WHMCS - Please rewrite using good code!

    Hello everyone, I'm sure you're aware of all of the recent security issues related to WHMCS. The problem with these issues isn't that someone decoded the encrypted files or identified exploitable code, it's that the code was written so poorly to begin with.

    The coding standards used in WHMCS are very old and very much against best practices. They even went so far as to create a work around to Register Globals that PHP removed from the software for security reasons. Doing this has lead to a couple of the exploits that we've all been dealing with.

    It is of the opinion of many qualified people that in order for WHMCS to resolve this issue once and for all, a complete code rewrite must be performed. You can't simply search and replace to fix the underlying issues. Everything is very much intertwined and linked together.

    I know you agree with me when I say that all I want is a usable system. Something with enough features to allow my business to grow and thrive in this competitive market we are all in. I also want something secure enough that I can sleep at night without fear of someone exploiting a vulnerability in the software I use to house all of my customer and server data.

    Join me in my efforts and tell WHMCS that you want the same thing. Vote up this feature request and maybe, just maybe they will listen to us.

    https://requests.whmcs.com/responses...ne-secure-code
          
  2. #2
    tsiedsma is online nowBeta Testers
    Join Date
    Mar 2008
    Location
    Des Moines, Iowa
    Posts
    684

    Default Re: Petition to WHMCS - Please rewrite using good code!

    Welp, they killed my feature request. I guess that tells us what they think of us...

    Goes to an error page now.

    It was well written, non insulting and was a nice request to secure the software. It had support from users on WHT as well as here.
    What gives WHMCS?
          
  3. #3
    Keiro is offlineMember
    Join Date
    Jun 2009
    Posts
    113

    Default Re: Petition to WHMCS - Please rewrite using good code!

    Fortunately for me, I've moved off of WHMCS.

    No way in hell am I moving back to WHMCS. And I won't offer WHMCS licenses to my clients.

    I voted for this. I was expecting them to accept the feature request. Not delete it and remove it from view.

    That simply tells me that they don't give a **************** about us, the people that use their software. Their actions will come back to bite them in the rear, sooner or later.

    Sooner or later, someone will sue WHMCS, and they will be found liable.
          
  4. #4
    WHMCS Chris is online nowWHMCS Staff
    Join Date
    Aug 2012
    Location
    Houston, TX
    Posts
    828

    Default Re: Petition to WHMCS - Please rewrite using good code!

    Hello,

    I've removed the feature request as the feature request system is not designed for that. The request to have a completely rewritten piece of software in a short time is simply an impossible feat - there are nearly 500,000 lines of code. However, WHMCS has began rewriting the core of the code in 5.3. The unfortunate aspect is that software in general will always be faced with vulnerabilities. If you follow any exploit report websites, you'll see this on an extremely regular basis. Even companies like PayPal and Oracle still battle this.

    To assume that WHMCS itself does not care about the customers, or the security of the software its providing is difficult to accept. Historically, we can see that immediately when something is known we have provided software updates mitigating the issue in a very short amount of time. It's quite unfortunate that some individuals do not follow responsible disclosure procedures as their intent appears to be terroristic in nature. 

    We have, and continue to work with a number of third party vendors for responsible disclosures as well as our own internal audits (hence the regular updates over the past 6 months), and the push to rewrite the core in 5.3.

    I am going to close this thread not for need of further discussion, but rather move it to a more appropriate forum - if you wish to continue this, feel free to email me directly chris[at]whmcs.com.

    We will be making a public statement in the near future which will likely address the majority of questions.
          
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

TERMS OF SERVICE

 Terms of Service on Checkout Page This simple template addition replaces the Terms of...

WHMCS FREE ADDONS

http://whmcsaddon.comFREE LIVE CHAT FREE TWO FACTOR AUTHENTICATION 

WHMCS TICKET EXPLOIT

Please familiarise yourself and beware of these things. Rogue tickets in your system may be a...

WHMCS HACKER CAUGHT USING EXPLOITS

Known information about a hacker going around Hacking into WHMCS Systems. Going by the name...

WHMCS OATH / TWO FACTOR AUTHENTICATION

https://bitbucket.org/Doctor_McKay/whmcs-oath-addon/src/tip/README.mdDOWNLOAD HERE...