c/p from my post at WebHostingTalk, I just thought I would throw this here as well.
Hi,
Since some people here claim there are more 0day exploits for WHMcs which allow the attacker to gain full access to your WHMcs by uploading a malicious PHP code to your WHMcs I decided to share a method which will prevent uploading malicious PHP scripts. This will also make your WHMcs secure without applying their latest patch(you still should apply it though) :P
1) Host your WHMcs on a VPS or dedicated server, the below patch will make you vuln on shared hosting.
2) Run PHP as DSO. Apache user and user that runs your WHMcs must be different. For example, Apache can run under apache or nobody, your WHMcs can run under some username that you added(useradd command).
3) WHMcs requires some folders to be chmoded to 777(world-writeable). Let's just move them(downloads, attachments and templates_c) outside of document root, like /home/username, NOT /home/username/public_html.
You will also have to tell WHMcs where you moved those folders, you can do that by additing the following to configuration.php
4) Chmod other files inside public_html to 644 and folders to 755.
# find /home/username/public_html -type d -print0 | xargs -0 chmod 0755
# find /home/username/public_html -type f -print0 | xargs -0 chmod 0644
5) Make sure you don't run PHP as DSO if your site is on shared hosting.
I hope this helps someone. If anyone has some other suggestion let me know. Have a nice weekend!
Hi,
Since some people here claim there are more 0day exploits for WHMcs which allow the attacker to gain full access to your WHMcs by uploading a malicious PHP code to your WHMcs I decided to share a method which will prevent uploading malicious PHP scripts. This will also make your WHMcs secure without applying their latest patch(you still should apply it though) :P
1) Host your WHMcs on a VPS or dedicated server, the below patch will make you vuln on shared hosting.
2) Run PHP as DSO. Apache user and user that runs your WHMcs must be different. For example, Apache can run under apache or nobody, your WHMcs can run under some username that you added(useradd command).
3) WHMcs requires some folders to be chmoded to 777(world-writeable). Let's just move them(downloads, attachments and templates_c) outside of document root, like /home/username, NOT /home/username/public_html.
You will also have to tell WHMcs where you moved those folders, you can do that by additing the following to configuration.php
Code:
$templates_compiledir = "/home/username/templates_c/";
$attachments_dir = "/home/username/attachments/";
$downloads_dir = "/home/username/downloads/";# find /home/username/public_html -type d -print0 | xargs -0 chmod 0755
# find /home/username/public_html -type f -print0 | xargs -0 chmod 0644
5) Make sure you don't run PHP as DSO if your site is on shared hosting.
I hope this helps someone. If anyone has some other suggestion let me know. Have a nice weekend!
