Patches includes Security Advisory for V4.5 & Google Checkout Users
WHMCS (www.whmcs.com), the billing & support solution provider, released a new version of the 4.5 series and 5.1 series on Monday. These updates provide targeted changes to address security concerns with the WHMCS product.
The news of the new version has been posted by Matt, WHMCS Developer on WHMCS Forums. The new version 4.5.3 for the 4.5 series & 5.1.3 for the 5.1 series addresses all known vulnerabilities.
The 4.5 series update addresses a vulnerability that can permit a malicious user to deceive a WHMCS installation into crediting a payment that is sent to a PayPal account other than the account configured within that WHMCS installation. The 5.x series is unaffected by this vulnerability. It is only possible to exploit this vulnerability if the paypal module has been activated.
The 4.5 and 5.1 series update addresses a vulnerability that can permit a malicious user to inject SQL via the Google Checkout module. This only becomes possible to exploit if the Google Checkout module has been activated within the WHMCS installation and so non Google Checkout users are not at risk from this.
In order to mitigate these vulnerabilities, WHMCS users need to download and apply the appropriate patch file. For the 4.5 series, use the file: http://go.whmcs.com/42/v452patch. For the 5.1 series, please use the file: http://go.whmcs.com/46/v512googlecheckoutpatch.
To apply the patch, users need to download the appropriate patch file from above links depending upon the WHMCS version they are running, extract the contents, and upload the files from the /whmcs/ folder to their installation. No install or upgrade process is required.
The latest public releases of WHMCS are available in WHMCS members area : www.whmcs.com/members/clientarea.php