Be aware that WHMCS has just released a critical advisory regarding a potential security vulnerability when htaccess directives are not enforced correctly.
WHMCS’ vendor directory should not be publicly accessible, however server environments such as NGINX in particular allows for this .htaccess file to be accessed. This gives hackers searching for vulnerable server configurations the ability to grab unauthenticated access to your sensitive WHMCS data.
Is My Server Affected?
This affects all versions of WHMCS 6.0 and later.
To tell if you are affected, enter the following file into your web browser and see if it is readable. If so, you will need to fix the vulnerability:
WHMCS has also created a verification tool that you can download here.
How Do I Fix the Vulnerability?
Head to the server environment you are running WHMCS on.
Apache and LiteSpeed
For Apache and LiteSpeed users, the .htaccess file should be sufficient enough to disallow access from unintended users. If the file is accessible, ensure the /vendor/.htaccess file is there, and make sure your configuration hasn’t disabled the use of .htaccess files.
NGINX does not read .htaccess files so any restrictions set with a .htaccess file will not work. Head to WHMCS for a step by step document on how to restrict access to directories.
WHMCS has provided a quick 5 step solution to restrict access to directories on IIS systems:
1. Open IIS Manager.
2. Navigate to Web Sites\
3. In the right pane, double-click “Authentication”.
4. For “Anonymous Authentication”, choose “Disabled”.
5. Restart IIS.
For any more questions you may have regarding this, feel free to chat to HostDime’s support team.