Global Hosting Talk

WHMCS security protection

by Feeder on Jul.07, 2009, under Web Hosting Talk

Just thought I would post some information regarding a "backdoor" in which many web hosts fail to secure.

If you run WHMCS on the same server you setup client accounts, someone can simply sign-up and easily access your WHMCS configuration file.

All it takes is for the user to upload a shell script and execute the following command:

Quote:

cat /path/to/your/configuration.php-file/

From there, they can access your configuration settings (MySQL) and create an administrator account.

How to fix:

If you have already disabled functions in your php.ini file, then you should be fine. If not, you will want to disable the following functions in your php.ini file:

Quote:

disable_functions="exec, shell_exec, proc_close, proc_open, pope n,system, passthru, escapeshellarg, escapeshellcmd, symlink"

You may want to enable safe_mode as well, but this may cause issues for certain scripts.

I would highly recommend installing mod suPHP and php cgi or simply move your "master" account to a different server.


Comments are closed.

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

    Archives

    All entries, chronologically...