About the vulnerability

A potential security vulnerability exists when htaccess directives are not enforced appropriately for WHMCS.

WHMCS ships with a vendor directory which should not be publicly accessible. By default a .htaccess file is provided which in most cases would be sufficient to direct the web server to disallow web based access to files in that location. nginx in particular will not honor that directive.

We have recently become aware of malicious actors scanning the internet for vulnerable web server configurations that host WHMCS installations. Improperly configured web servers could allow an unauthenticated, remote attacker to access sensitive WHMCS data.

As a result, we are rating the severity of this issue as critical.

This advisory was published on 28th January 2020.

Affected versions

WHMCS 6.0 and later

How to tell if you're affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

To use the tool, simply upload it to the root directory of your WHMCS installation and then visit in a browser or run from the command line. The tool will confirm if you are affected.

How to fix the vulnerability

The solution depends upon your web server environment and various configurations.

Apache Web Server Software

Apache is the recommended web server software platform to run WHMCS on. By default a .htaccess file is provided which in most cases should be sufficient to direct the Apache web server to disallow web based access to files within the vendor directory.

If you are running Apache and files remain accessible, please first ensure that the /vendor/.htaccess file exists, has appropriate ownership and permissions, and that it contains the following directive:

If files continue to remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

Other Web Server Software

While other web server technologies are not officially supported, we understand that some users do wish to run WHMCS in environments other than Apache.

For those that do, you must ensure that files within the /vendor/ directory are not served based on your web server configuration.

To help with this, we have made available the following help resources:

LiteSpeed

LiteSpeed uses the same configuration format as Apache HTTP Server and is compatible with most Apache features, including .htaccess files. The default .htaccess file provided should in most cases be sufficient to direct the LiteSpeed web server to disallow web based access to files within the vendor directory.

If you are running LiteSpeed and files remain accessible, please first ensure that the /vendor/.htaccess file exists, then you will want to investigate if your LiteSpeed configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

Nginx

A detailed guide for how to restrict access to directories with nginx has been made available at https://docs.whmcs.com/Nginx_Directory_Access_Restriction

Microsoft IIS

To restrict access to directories on IIS systems, perform the following steps:

1. Open IIS Manager
2. Navigate to Web Sites\<your website>\vendor
3. In the right pane, double-click “Authentication"
4. For “Anonymous Authentication”, choose “Disabled”
5. Restart IIS

Others

If your web server software is not listed here, please consult with your server administrator or contact our technical support team for further advice.

Technical Support

WHMCS understands that customers may have questions about this vulnerability or need assistance in determining if they are affected, and we are ready to assist as needed. For support on this issue, please open a support ticket.