WHMCS had a very serious security flaw published yesterday.
In question is a SQL Injection where any string is passed directly to the DB without sanitization if user input is prefixed with certain string. Sounds almost like an intentional backdoor.
WHMCS sent a security advisory last night, but this flaw was exploited before we could react to that advisory.
We had to restore a backup just prior to the attack - a few transactions may have lost, we will manually input them by tomorrow, but if you don't see your payment by monday, please open a ticket.
As a precaution, all WHMCS passwords and service passwords will be reset over the weekend. This is purely a precaution, we do not have evidence of any password leakage, but it's better to be safe than sorry in this instance.
You will receive a password reset e-mail for your service(s) and billing portal via e-mail soon.
Friday, October 4, 2013
