Category Archives: Company Blog

ClientExec – Content Disclosure Vulnerability

Our friends at Rack911 & HostingSecList have released the following advisory for ClientExec.

ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.
Vulnerability Description:

A malicious user can obtain the product details (name / domain) belonging to any other user when they submit a ticket by carefully crafting the request.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that other users information can be obtained.
Vulnerable Version:

This vulnerability was tested against ClientExec v4.6.8.
Fixed Version:

This vulnerability was patched in ClientExec v4.6.9. We thank ClientExec for their commitment to security by providing prompt updates!

 

If you are a VeeroTech Systems reseller & currently utilize ClientExec, please log into the account management portal and download the latest release found under Support > Downloads.

Bandwidth restrictions removed. Resellers increased.

Effective immediately, we will begin removing all bandwidth restrictions from our shared web hosting accounts & packages. After careful review, we have found that the majority of our shared hosting accounts technically do not need hard set quotas.

Over the next few days, we will be updating our servers with the restriction removals for each hosting plan. This means inside of your cPanel account, you will see a “oo” slightly above the bandwidth usage statics on the left side of your cPanel.

We’d also like to let you know that allowing “unmetered” bandwidth does not mean “unlimited”. We have implemented a “fair use” policy, which can be found in our terms of service as well as below this article.

We also want you to know that this does not mean our quality of service will drop; our servers will continue to be monitored and maintained to continue performing as they are currently. Frequently, people get the terms “bandwidth, traffic, resources” mixed up & become confused. We’re simply removing the hard set quota to allow our customers to focus more on building their sites vs watching their bandwidth limits.

Our storage allocations will remain the same; we do not offer “unlimited” disk space or storage space. Each plan has a hard set quota for storage.

Reseller Plan Bandwidth Increase

In addition to removing the hard set quotas for shared web hosting, we have also increased our bandwidth allocations for resellers, both traditional “single-server” reseller hosting plans as well as our cloud hosting plans. Our website will be updated over the next few days with the new specifications for all shared & reseller hosting plans.

SpamExperts SPAM Filtering: Now Available!

We’re proud to announce the launch of SpamExperts Incoming SPAM filtering for VeeroTech Systems customers. We’re including 1 domain for free for each customer. Each additional domain is $3.99/month and we’re offering discounts for bulk domains – 5, 10, 15+ domains.

To claim your free account, please log into the Account Management portal in your dashboard as shown below. Under “Order New Services” you’ll see the option to add SPAM filtering. Once submitting the order, we’ll waive the fee for the 1st domain for you, then provide you with your dashboard login information.

 

Once your account has been created, you’ll need to update your MX records as described inside the informational email. If you’re unsure how to do this, just open a ticket and our support team will assist in making sure the correct MX records are entered. From there, you’ll then have access to the Spam Panel dashboard where you can adjust the SPAM threshold, view quarantined messages, whitelist/blacklist options & more!

Have questions? Open a service ticket at any time or email us at info@veerotech.net

Want SPAM filtering, but not yet a VeeroTech Systems customer? Sign up today and experience the VeeroTech difference! www.veerotech.net

WHMCS Cookie Exploit

From the WHMCS Blog: http://blog.whmcs.com/?t=81138

 

We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.

We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.

In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this – although please note this will also prevent admin list ordering from working fully in certain places.

Cookie Override Hook – http://go.whmcs.com/262/cookie_override_hook

 

 

If you currently have WHMCS, we recommend that you follow the instructions for this patch. You’ll need to upload the file to your /includes/hooks folder as mentioned above & in the post made by WHMCS.

R1Soft Continuous Data Protection

A few weeks ago, a security audit completed by a 3rd party security firm discovered various security flaws in the previously used software “StoreGrid” that we used on shared & reseller web hosting accounts. This discovery prompted us to completely disable all instances of StoreGrid running on VeeroTech Systems servers. The security vulnerabilities were reported to StoreGrid however, they did not seem to get fixed. This prompted us to remove StoreGrid completely from all servers to protect our customers.

Upon removing StoreGrid, we chose to replace it with Idera R1Soft CDP (continuous data protection). We have recently been working on a complete integration for all shared & reseller web hosting servers. In addition to R1Soft CDP daily/hourly backups, we still complete weekly & monthly account level (cPanel – shared/reseller) backups for Disaster Recovery.

Now, what does this mean for you? If you’re a shared or reseller hosting customer, you will have access to restore file-level backups from 4 previous days right from within cPanel. You will notice there’s an R1Soft icon inside of cPanel as well.

Traditional shared/reseller hosting: Daily backups, 4 copies retained. + weekly/monthly account backups.

Cloud shared/reseller: Hourly backups, 120 copies retained. + weekly/monthly account backups.

We are nearing the completion of the integration & hope to be 100% complete within the next few weeks. If your hosting accounts are located on our older servers, the integration has not yet been completed. (dallas01, dallas02 & dallas03 servers). If you are not located on these servers, the backups have already been integrated. You can check the server name from within cPanel on the right hand pane where your statistics are located.

 

Virtual Servers. (VPS)

The second phase of the implementation includes installing the R1Soft CDP agent on all VPS customer virtual machines. This will be included with your current VPS rate, and there will be no extra charges.

Agent Installation: We will contact each VPS customer directly to coordinate the installation & configuration.

Backup Frequency: VPS customers will have daily R1Soft CDP backups

Backup Storage Amount: Each VPS will include identical storage allocations. EG: 50GB VPS will include 50GB of R1Soft CDP backup space.

 

Cloud Virtual Servers. (VMware Cloud Servers)

These servers have not been released on our website however, the backup options will be the same as standard virtual servers (VPS).

 

Backup Storage Location.

All R1Soft CDP agents will have target destinations on “off-site” storage. We retain R1Soft CDP backups & our weekly/monthly shared/reseller account backups both in different locations. This greatly reduces the chance of data loss should we be required to restore from our Disaster Recovery backups.

 

As always, should you have any questions, certainly feel free to get in touch with our support desk.