Monthly Archives: October 2013

SPAM Filtering Coming Soon! (SpamExperts)

We’re pleased to announce our integration with SpamExperts, a leading SPAM filtering company for email services. We have recently completed a testing phase for incoming email filtering & we’re extremely happy with the results.

VeeroTech Systems has many different email accounts for various tasks and boy do we get hammered with SPAM! We get all sorts of incoming SPAM ranging from free iPad offers, adult advertisements, phishing emails, enhancement supplements and more. While we can filter these out to an extent via server side configurations, it was simply taking too much time to do so; time that could be better spend shaping the future of VeeroTech Systems & assisting our customers.

Phase #1:

Phase 1 consisted of testing non-critical domains that VeeroTech Systems owns that get the same amount of SPAM messages on a daily basis. We chose a non-critical domain to lower the chances of false positive email rejections that could potentially impact business operations. We had a 99.9% success rate for blocking SPAM messages with only the default configuration from SpamExperts. The .1% was 1 message that did happen to make it through. The single message that made it through was surprisingly a highly crafted message that happened to slip through.

Phase #2:

Phase 2 consisted of adding the VeeroTech Systems main domain (veerotech.net) for incoming filtering. So far, the results have been a 100% success rate on blocking actual SPAM messages. We have not received any false positives to date. We will continue to use incoming filtering through SpamExperts from here on out.

In the upcoming weeks, we’ll be releasing the integration options to all VeeroTech Systems customers at an introductory rate per domain. If you’re tired of SPAM flooding your inbox, this filtering is for you.

Interested in getting filtering for your domain? Message us via our contact page to get more information on how we can help!

We will be releasing additional details in the upcoming weeks on how to add SpamExperts email filtering to your account for VeeroTech Systems customers. Stay tuned for an email with further details.

R1Soft Continuous Data Protection

A few weeks ago, a security audit completed by a 3rd party security firm discovered various security flaws in the previously used software “StoreGrid” that we used on shared & reseller web hosting accounts. This discovery prompted us to completely disable all instances of StoreGrid running on VeeroTech Systems servers. The security vulnerabilities were reported to StoreGrid however, they did not seem to get fixed. This prompted us to remove StoreGrid completely from all servers to protect our customers.

Upon removing StoreGrid, we chose to replace it with Idera R1Soft CDP (continuous data protection). We have recently been working on a complete integration for all shared & reseller web hosting servers. In addition to R1Soft CDP daily/hourly backups, we still complete weekly & monthly account level (cPanel – shared/reseller) backups for Disaster Recovery.

Now, what does this mean for you? If you’re a shared or reseller hosting customer, you will have access to restore file-level backups from 4 previous days right from within cPanel. You will notice there’s an R1Soft icon inside of cPanel as well.

Traditional shared/reseller hosting: Daily backups, 4 copies retained. + weekly/monthly account backups.

Cloud shared/reseller: Hourly backups, 120 copies retained. + weekly/monthly account backups.

We are nearing the completion of the integration & hope to be 100% complete within the next few weeks. If your hosting accounts are located on our older servers, the integration has not yet been completed. (dallas01, dallas02 & dallas03 servers). If you are not located on these servers, the backups have already been integrated. You can check the server name from within cPanel on the right hand pane where your statistics are located.

Virtual Servers. (VPS)

The second phase of the implementation includes installing the R1Soft CDP agent on all VPS customer virtual machines. This will be included with your current VPS rate, and there will be no extra charges.

Agent Installation: We will contact each VPS customer directly to coordinate the installation & configuration.

Backup Frequency: VPS customers will have daily R1Soft CDP backups

Backup Storage Amount: Each VPS will include identical storage allocations. EG: 50GB VPS will include 50GB of R1Soft CDP backup space.

Cloud Virtual Servers. (VMware Cloud Servers)

These servers have not been released on our website however, the backup options will be the same as standard virtual servers (VPS).

Backup Storage Location.

All R1Soft CDP agents will have target destinations on “off-site” storage. We retain R1Soft CDP backups & our weekly/monthly shared/reseller account backups both in different locations. This greatly reduces the chance of data loss should we be required to restore from our Disaster Recovery backups.

As always, should you have any questions, certainly feel free to get in touch with our support desk.

WHMCS Security Advisory for 5.x – upgrade to v5.2.12

UPDATE 2: We have published 5.2.12 incremental and full versions. These include all security related enhancements as well as the missing file that triggers the version increment.

Please Note: if you downloaded 5.2.11, your update is incomplete. Please deploy 5.2.12 to ensure the software version increments properly. Version 5.1.13 was not affected by this packaging deficiency.

UPDATE: We’ve identified a missing file in 5.2.11 which causes the version number not to increment. All security related enhancements are present. We will be updating this post again with version 5.2.12 which will contain the complete change set. Thank you for you patience.

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical & important security impacts. Information on security ratings is available athttp://docs.whmcs.com/Security_Levels

Releases
The following patch release versions of WHMCS have been published to address all known vulnerabilities:
v5.2.12
v5.1.13

Security Issue Information

These updates resolve the following issues:

> Information disclosure via the client area as published by ‘localhost’
> HTTP Split Attack discovered by the WHMCS Development Team
> SQL Injection Vulnerability discovered by the WHMCS Development Team
> Privilege boundaries not being enforced on addons reported by Vlad C of NetSec Interactive
> Download directory traversal reported privately by an individual
> Lack of input validation in data feeds input discovered by the WHMCS Development Team
> Deficient Null Byte sanitization on input discovered by the WHMCS Development Team

Important Fix Information

These updates also include the following non-security related functional fixes:

> Improved validation of monetary amounts
> Moneris Vault Gateway compatibility update
> Credit cards not processing under certain conditions
> Correction to internal logic for testing Authorize.net payment gateway

Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.12 (full version) – Downloadable from the WHMCS Members Area
MD5 Checksum: fd2500df9068b7c00a9452ef31cfd522

v5.2.12 (patch only; for 5.2.10 or 5.2.11 ) – http://go.whmcs.com/254/5212_incremental
MD5 Checksum: dbf1f18f98c14d5f212f6e4bc249cca6

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.13 (patch only; for 5.1.12) – http://go.whmcs.com/250/5113_incremental
MD5 Checksum: e06d0033c388a8f2c43e24134fe8bd63

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

All versions of WHMCS are affected by these vulnerabilities, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

http://docs.whmcs.com/Long_Term_Support

WHMCS Security Advisory for 5.x – (v5.2.10 + older) #2

From WHMCS Security Advisories Blog:

As you may be aware, a security issue has been published within the last hour which allows for information disclosure.

We are aware of the issue and are investigating it, and will be issuing a fix for this issue along with any others we discover during our targeted investigation shortly. In the meantime disabling the Mass Payment feature voids the immediate threat.

You can do this by de-selecting the “Enable Mass Payment” checkbox in Setup > General Settings > Invoices and saving.

Please watch our blog, facebook and twitter feeds to receive the latest updates.

We (VeeroTech) recommend temporarily adding the following lines to your WHMCS configuration file “after” the first php tag:

if(isset($_REQUEST[‘invoiceids’]) && is_array($_REQUEST[‘invoiceids’])) { die(‘no’); }
if(isset($_REQUEST[‘geninvoice’]) && is_array($_REQUEST[”])) { die(‘no’); }

We (VeeroTech) also recommend that all WHMCS users disable the option for new signups without services. This can be done by unchecking the check box for “Allow Client Registration” under Settings > General Settings > Other

We realize this may break functionality for those utilizing the build in affiliate program however, it will aid in keeping malicious users from creating accounts inside your system.

WHMCS Security Advisory for 5.x – (v5.2.10 + older) #1

WHMCS has rated these updates as having critical security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels

Releases
The following patch release versions of WHMCS have been published to address a specific privilege and SQL vulnerabilities:
v5.2.10
v5.1.12

Security Issue Information

These changes resolve security issues identified by public disclosure. The follow security issues have been addressed within the latest patches:
– Missing Cross Site Request Forgery Token checks for certain operations related to Product Bundles and Product Configuration
– SQL Injection viable due to improper validation of expected numeric data
– Enforce privilege boundaries for particular ticket actions

Important Fix Information
These changes also include important functional fixes that were produced from previous security patches:
– SQL error in getting ticket departments (5.1 only)
– Mass mail client filter excluding users set to default language
– Admin clients list displaying multiple instances of the same record in certain conditions
– Prevent user input from manipulating IP Ban logic (5.2 only)

Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.10 (full version) – Downloadable from the WHMCS Members Area
v5.2.10 (patch only; for 5.2.9 ) – http://go.whmcs.com/242/5210_incremental

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.12 (patch only; for 5.1.11) – http://go.whmcs.com/246/5112_incremental

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

All versions of WHMCS are affected by this vulnerability, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

http://docs.whmcs.com/Long_Term_Support

VeeroTech Blog