Category Archives: Security Advisories

Google Docs Phishing – May 3rd 2017 – Be Careful!

Many may already know there is a widespread Google Docs phishing email scam that contains a link that appears to be from someone you may know. We have received numerous messages to our company mailboxes containing these links.

If you’re not familiar with what phishing is, it is a method where a malicious attacker uses a crafted web page, link or similar, to try to trick a user into providing their login information. When this happens, the malicious user then has your login information and can access anything those credentials are being used for.

We would like to alert our customers to this phishing scam and how you can protect your account with us should you become compromised.

  1. Use different passwords for all services
  2. Utilize strong, complex passwords
  3. Enable two-factor authentication when available

We provide the ability to enable two-factor (something you know + something you have) authentication for logging into our support/billing portal, as well as, logging into your cPanel & WHM hosting accounts.

To enable two-factor authentication on our support/billing portal, you can follow our instructions here: https://www.veerotech.net/kb/account-management-portal-two-factor-authentication-billing-support/

To enable two-factor in your cPanel account, you can follow our guide here: https://www.veerotech.net/kb/cpanel-two-factor-authentication-multi-factor-authentication/

There are a number of outlets currently reporting the Google Docs phishing attack, we recommend further reading the blog entry on MalwareBytes: https://blog.malwarebytes.com/cybercrime/2017/05/google-docs-app-spam-goes-phishing/

**Note: We would like to note that the two-factor methods above are not in relation to this phishing incident. We are recommending activating the 2Factor authentication on your accounts with us to further protect your accounts with VeeroTech should you be affected by this attack.**

WordPress 4.2.2 Security and Maintenance Release – Critical

WordPress has released a critical security release that should be updated immediately. From WordPress:

WordPress 4.2.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Version 4.2.2 addresses two security issues:

  • The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  • WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2. For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.2.

Full post here: https://wordpress.org/news/2015/05/wordpress-4-2-2/

WordPress WP-Super Cache vulnerability – update immediately!

An important update has been released for the widely used WP-Super Cache content caching plugin for WordPress. The vulnerability has been found by Sucuri, a security company dedicated to testing web applications for security vulnerabilities.

We strongly recommend updating this plugin immediately if you have it installed on your website. You can do this from your WordPress dashboard by simply navigating to Plugins > Installed Plugins > then locating the Super Cache plugin. You will see the upgrade link within the details of the plugin.

WHMCS Security Advisory TSR-2014-0001

WHMCS has released a new update for all supported versions of WHMCS. These updates contain changes that address security concerns within the WHMCS product.

We recommend you update your WHMCS installation(s) as soon as possible.

WHMCS has rated this update as having an important security impact. Information on security ratings can be found athttp://docs.whmcs.com/Security_Levels

Releases
Please update your installation to the one of the following versions:
v5.2.16

Patches – What is a Patch?

Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.

The following incremental patches are available for direct download:

5.2.15 –> 5.2.16 http://go.whmcs.com/298/v5215_incremental_to_v5216_patch
MD5 Checksum: 706e352796e91c4f27a40470c83125b8

To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set

Full Release – What is a Full Release?

A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).

5.2.16 – Downloadable from the WHMCS Members Area
MD5 Checksum: fe2a804ade2bfd69d4107ff8aa1b718b

To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version

Important Maintenance Issue Information

This Advisory provides resolution for the following important maintenance issues:

Case #2557 – 2Checkout Gateway: Update to currency variable
Case #2623 – Fix calculations of promotions when more than 50% off
Case #2739 – Add TLD Specific Fields required for .CN domain registrations
Case #2874 – Authorize.net Echeck: Fix capture function behaving incorrectly
Case #3019 – Refine internal criteria for bulk domain lookup
Case #3030 – Resolve SQL error in Income by Product Report
Case #3086 – Nominet Registrar: Update to Contact Registration Logic for Individuals
Case #3116 – Required Custom Fields not validating correctly when using API
Case #3360 – Resolved issue where one time promotions could be treated as recurring
Case #3360 – Disable Recur For input box when Recurring is disabled
Case #3361 – Fix time limited recurring promotions calculating incorrectly
Case #3388 – Fix Invalid Token Error when applying credit in Original and Portal Client Templates
Case #3414 – Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
Case #3617 – Do not CC password reset emails to sub-accounts
Case #3740 – ProtX VSP Form: Pass correct callback values to debug log
Case #3801 – Resolved PDF Quotes missing clients name/address
Case #3802 – Make a quantity of zero remove item from the cart
Case #3809 – Regular Expression Custom Field Validation failing on single quotes
Case #3811 – Resolve Invalid Token error when deleting recurring calendar entry
Case #3814 – Improvements to IPv6 detection and validation logic
Case #3862 – NameCheap Registrar: Fix incorrect function name call
Case #3864 – Authorize.net Echeck: Fix storage of bank account details
Case #3893 – Enom SSL Module: Fix Province is Required Error Message
Case #3922 – PayPal Express: Remove auto-login from Express Checkout Module

Security Issue Information

This Advisory provides resolution for several security issues, all of which were either reported privately via the Security Bounty Program or found internally by the WHMCS Development team as part of the regular on-going internal security audits.

There is no reason to believe that any of these vulnerabilities are known to the public. As such, WHMCS will only release limited information about the vulnerabilities at this time.

Once sufficient time has passed, WHMCS will release additional information about the nature of the security issues.

Case #3637 – Improve Access Controls in Project Management Addon
Case #3782 – Improve Access Controls in Tickets
Case #3783 – Improve Access Controls in Invoices
Case #3784 – Resolve Admin Area SQL Injection Vulnerability
Case #3839 – Resolve Potential XSS Vulnerability
Case #3841 – Resolve Potential XSS Vulnerability
Case #3842 – Resolve Potential XSS Vulnerability
Case #3843 – Resolve Potential XSS Vulnerability
Case #3846 – Improve Access Controls in Tickets
Case #3922 – PayPal Express Checkout Improve Validation
Case #3931 – Potential header injection via whois lookups
Case #3932 – Improve sanitization for whois query

All supported versions of WHMCS are affected by one or more of these maintenance and security issues.

WHMCS Security Advisory TSR-2013-010

WHMCS has released a new update for all supported versions of WHMCS. This update contains a change that addresses a specific security concern within the WHMCS product.

We strongly encourage you to update your WHMCS installations as soon as possible.

WHMCS has rated this update as having an important security impact. Information on security ratings can be found athttp://docs.whmcs.com/Security_Levels

Releases
Please update your installation to the following version:
v5.2.15

Patches – What is a Patch?

Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.

Do not attempt to apply an incremental patch set to an installation that is running a different version than the indicated version. Doing so will result in a “Down for Maintenance” message and require you to use the full release to complete the upgrade.

Incremental patches do not require any update process. Simply apply the changed files to the existing WHMCS installation.

The following incremental patches are available for direct download:

5.2.14 –> 5.2.15 Patch http://go.whmcs.com/290/v5214_incremental_to_v5215_patch
MD5 Checksum: 709126303a0296ea41e6984c84aa42fa *

To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set

Full Release – What is a Full Release?

A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).

The latest full release can always be downloaded from our members area at https://www.whmcs.com/members

5.2.15 Full Version – Downloadable from the WHMCS Members Area
MD5 Checksum: d990f802db28c28d6d2fc003c8f339eb

To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version

Important Maintenance Issue Information

This release also provides resolution for the following maintenance issues:

Case #3706 – Some graphs failing after recent Google Graph API Update
Case #3711 – CSV Export content should not contain HTML entities
Case #3726 – PDF Line Items failing to output some specific characters
Case #3727 – Admin password reset process failing to send new password email
Case #3738 – Sub-account password field’s default text must be removed on focus/click events

Security Issue Information

This Advisory provides resolution for a single security issue which was publicly disclosed. Specific information regarding that issue can be found below.

Case #3785
SQL Injection via Admin Credit Routines

=== Severity Level ===
Important

=== Description ===
An attacker who can function as an authenticated admin user with the ability to apply credits to an invoice can, using specially crafted input, cause the credit routines to execute arbitrary SQL commands if the target user has a credit balance known to the attacker.

Due to the many prerequisites necessary to successfully navigate this vector, a security impact level has been assessed as “Important”. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels

=== Resolution ===
Download and apply the appropriate software updates to protect against these vulnerabilities; information about software update releases is provided in the “Releases” section of this Advisory.

All published and supported versions of WHMCS prior to 5.2.15 are affected by one or more of these maintenance and security issues.

 

VeeroTech Customers: 

Current VeeroTech Systems customers can download the latest FULL version from inside our account management portal: “Support Center > Software Downloads.”