Feature Requests
Share ideas, discuss and vote on requests from other users in community
 
This object is in archive! 

Prevent hacking attempts by blocking certain keywords in profile fields

Felix Don King shared this idea 5 years ago
Under Consideration

Hello,

If there was a way to block certain keywords it would be possible to stop hackers from trying to inject code by changing their profile fields.

A lot of WHMCS users are experiencing the typical...

AES_ENCRYPT(1,1), address1= (SELECT MIN(username) FROM tbladmins)

...hacking attempts and even if the WHMCS install is patched and safe it is still a worry and extra work to check that nothing was compromised, banning and deleting the user etc.

Being able to add AES_ENCRYPT as a forbidden keyword would solve this once and for all.

Please!

/168

Another variant of this request: https://requests.whmcs.com/responses/block-user-signups-or-account-field-changes-by-keyword

Files: AES.JPG

Comments (2)

photo
1

Seriously!

This is a joke WHMCS has been ignoring for years.

Please please kill this bug.

+++

I do not work for these folks, but I'll put in a plug anyway. They put together a nice security plugin which I "had" to buy in order to stop this madness, WHMCS Security Plus+. Since installing I've no longer had to waste my time clearing the bogus new account adds.

photo
1

Or: on the assumption you have root level access to the box you run your billing system on (you really ought to): use mod_security; every time there's a different variant, I just create new mod_security rules.

It's pretty much always going to be better tested (based on maturity and number of deployments) and more flexible than anything WHMCS will be prepared to write, it'll probably be faster than anything that can be integrated to WHMCS using PHP, and as a result it's probably just not worth WHMCS' time re-inventing the wheel (especially if there's already third party plugins for people who won't/can't use mod_security and are happy to make the tradeoffs).