Categories: Security

WHMCS Security Advisory TSR-2016-0001 – Admin Application Links CSRF Vulnerability

WHMCS has released new updates for all supported versions of WHMCS. These updates include changes that address security concerns within the WHMCS product.

WHMCS has rated these updates as having a Trivial to Important security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels

==========
Releases
==========
Please update your installation to the latest version.

v6.2 – 6.2.1
v6.1 – 6.1.2 (LTS)
v6.0 – 6.0.4 (LTS)

== Patches ==

Incremental patches can be downloaded by following the links below.

These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.

6.2.0 –> 6.2.1 http://go.whmcs.com/950/v620_incremental_to_v621_patch
MD5 Checksum: c8cc808c0d0718b13a486ca3dabd4125

6.1.1 –> 6.1.2 http://go.whmcs.com/954/v611_incremental_to_v612_patch
MD5 Checksum: c6fa1354f9523054d0107866f2e9550e

6.0.3 –> 6.0.4 http://go.whmcs.com/958/v603_incremental_to_v604_patch
MD5 Checksum: 7d86bb2ca32767f591a8a5c21c81fe6b

Hotfix for 5.3.14* http://go.whmcs.com/962/Backport_TSR-2016-0001_53
MD5 Checksum: bb5756fe02dc0b99d1a49783afd41dbb

Need a patch for an older version? Visit our downloads page: http://download.whmcs.com/

To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a “Patch Set” which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set

* Some installations have yet to upgrade to v6. As a result, we are providing a backport patch for v5.3.14. It is important to remember that v5 is no longer supported. Future security and important maintenance issues will not be patched. We strongly encourage anyone running a version outside of Long Term Support (http://docs.whmcs.com/Long_Term_Support) to upgrade as soon as possible to ensure the performance, accuracy, and security of your business.

== Full Release ==

A full release distribution contains all the files of a WHMCS product installation. It can be used to both perform a new installation or update an existing one (regardless of previous version).

6.2.1 Full Version – Download Now http://download.whmcs.com/
MD5 Checksum: ff5c9b13a86f9041d52d94ada7e7cac9

6.1.2 Full Version LTS – Download Now http://download.whmcs.com/
MD5 Checksum: 91522bf1d33b20793f1aeb411a588118

6.0.4 Full Version LTS – Download Now http://download.whmcs.com/
MD5 Checksum: ae7695aae719aad249f82a8d86bdbd9c

To apply a full release, download the release from the URL above. Then follow the upgrade instructions for a “Full Release Version” which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version

=========================================
Security Issue Information
=========================================

The security changes for the v6.2 release address 2 issues, both of which were reported via the Security Bounty Program.

The security changes for all other releases address 1 issue, which was reported via the Security Bounty Program.

Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issues.

============================
Maintenance Issue Information
============================

The v6.2 release also provides resolution for 1 maintenance issue that affected upgrades of EOL versions of the product.

All versioned releases also contain the previously released update for the Kayako Loginshare and is provided for completeness.

For full details please refer to the changelog:
V6.2.1 – http://changelog.whmcs.com/WHMCS_V6.2
V6.1.2 – http://changelog.whmcs.com/WHMCS_V6.1
V6.0.4 – http://changelog.whmcs.com/WHMCS_V6.0

All published and supported versions of WHMCS are affected by one or more of these maintenance and security issues.

============================

Source :

========================================
WHMCS Security Advisory TSR-2016-0001
http://blog.whmcs.com/?t=110766
========================================

Thanks!

Vishwajit Kale

Vishwajit Kale blazed onto the digital marketing scene back in 2015 and is the digital marketing strategist of Hostripples, a company that aims to provide affordable web hosting solutions. Vishwajit is experienced in digital and content marketing along with SEO. He's fond of writing technology blogs, traveling and reading.