From the WHMCS Blog: http://blog.whmcs.com/?t=81138
We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.
We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.
In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this – although please note this will also prevent admin list ordering from working fully in certain places.
Cookie Override Hook – http://go.whmcs.com/262/cookie_override_hook
If you currently have WHMCS, we recommend that you follow the instructions for this patch. You’ll need to upload the file to your /includes/hooks folder as mentioned above & in the post made by WHMCS.If the steps above listed in this article do not resolve your issue, please feel free to open a support ticket and we’d be happy to take a look.
Get 50% off for 6 months on all Shared Hosting plans.
Our Guiding Principles
- Provide consistent, stable, and reliable web hosting services.
- Ensure rapid ticket response and quick resolutions to issues.
- Never saturate or over-provision servers to ensure stability and speed for our customers.
- Use only high-quality enterprise-class hardware to ensure minimal downtime from hardware failures.
- Provide clear pricing with no hidden fees or gotchas.