WHMCS Security Advisory 2020-01-28 & actual help for lighttpd (impacts apache & nginx also)
From WHMCS:
Hello,
We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.
Affected Versions
WHMCS 6.0 and later
How to tell if you're affected
If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.
https://www.example.com/path/to/whmcs/vendor/composer/LICENSE
A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.
How to fix the vulnerability
Please follow the instructions provided in the detailed security advisory:
WHMCS Security Advisory 2020-01-28
WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.
Kind regards,
WHMCS
The lighttpd advice given is usless so incase it helps anyone using it:
What you actually want is to add the following to your lighttpd.conf:
# deny access to /vendor
$HTTP["url"] =~ "^/vendor/" {
url.access-deny = ("")
}
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Comments
oi you got a license for that license mate?
HS4LIFE (+ (* 3 4) (* 5 6))
I think it is only intended to show LICENCE as an example: who the hell cares that someone can read that? Any mitigation shouldn't just be focussed on that one file, I suspect.
Dunno, but perhaps more appropriate..
[code]
deny access to composer
$HTTP["url"] =~ "^/vendor/composer/" {
url.access-deny = ("")
}
[/code]
EDIT5: give up on trying to format this post
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
lol, i take things so literal I am sure I have never diagnosed Asperger syndrome or something.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Strangely, just this morning, I was thinking about the setting that allows WHM/cPanel to check how many levels down for .htaccess - I normally change from the default of two, to three.
Haven't noticed any similar setting on any of the other control panels nor nginx etc.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
Post updated with common sense applied cheers @AlwaysSkint
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Interesting to see people still running lighttpd. Such a shame that the project has been nearly abandoned, loved it a decade ago.
OpenVPN installer | WireGuard installer
WHMCS just notified me by ticket that it is in fact the entire /vendor folder
Might be me but that really was not apparent from the email or docs.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
They do not know the actual root cause of the problem, they are just blanketing the situation in the email.
ExtraVM - High RAM Specials
Yours truly.
Don't use WHMCS, so I could only speculate.
It wisnae me! A big boy done it and ran away.
NVMe2G for life! until death (the end is nigh)
My guess is some weirdo Smarty hook or some retarded unsanitized file_get_contents() which relies on allow_url_fopen from some code that dates back to 20 years ago. That's usually the cause.
My pronouns are asshole/asshole/asshole. I will give you the same courtesy.
This also impacts NGINX users.... @AnthonySmith would you mind extending the topic to state its basically any HTTP with a stock config that is NOT apache. Even apache users should validate they arent exposing
/vendor
.Ionswitch.com | High Performance VPS in Seattle and Dallas since 2018
done
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
https://fortiguard.com/encyclopedia/ips/45765/phpunit-eval-stdin-php-remote-code-execution
That vulnerability was disclosed in 2017 so it is WHMCS being busy working out a new price increase lazy
Only thing their owners are interested in is money & don't give a single ***k about security
Recommend: SmallWeb|BuyVM|Linode|RamNode
How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?