As of 25th May 2018 the General Data Protection Regulation comes into force. At HostBill we have always been committed to data privacy and security and we have taken all necessary steps to ensure GDPR compliance. Continue Reading
We’ve just released security update for HostBill, as a response to potentially dangerous XSS Vulnerability.
To apply security update please download latest and update HostBill to 2013-12-14 version.
You can also use our auto-upgrade plugin to perform this automatically.
Upgrading to new version: http://wiki.hostbillapp.com/index.php?title=Upgrading_to_new_version
Using auto upgrade plugin: http://wiki.hostbillapp.com/index.php?title=Auto-Upgrade_plugin
We believe that this vulnerability is not known to the public, its severity depends on adminarea protection.
KBKP Software always encourages our clients to take extra steps for protection:
Big thanks to team Rack911 (https://www.rack911.com/) for identifying and reporting this problem.
In last couple hours we’ve released patch for HostBill versions 4.x available from auto-update plugin and to download directly from:
For manual patch apply please extract archive contents in main HostBill dir.
We strongly recommend upgrading to latest HostBill version (4.6.4 – archive also contains patched files)
We’ve been notified about brute-force attack possible to be performed by logged in customers into other client’s accounts.
Patch was introduced immediately for auto-upgrade feature
We’ve been notified about dangerous security threat found in one of HostBill files.
Severity depends on server configuration we cannot leave our users at risk – we take security very seriously.
Download patch from here: https://hostbillapp.com/clientarea/patches/hostbill_patch4.6.0_4324.zip (for versions 4.4.0 and UP)
Please extract this patch in main HostBill directory. It is also available in auto-update plugin.
Version 4.6.0 available in downloads section has also been patched, so if you’re using older version its advised to upgrade to latest version.
As scheduled – week passed and new HostBill version is ready: 4.1.4 with multiple improvements and bug fixes is available for download.
Client signup captcha
Spambots now seem to attack even billing systems – there is no better way to prevent it than implementing captcha. By default new client signups require captcha confirmation (you can disable captcha field in Clients->Registration fields)
Client profile files
You can now upload files directly in client profile, so it can be accessible only by this client, or staff members visiting client profile.
Fixed invoice data
When using EU invoicing, you can prevent client details edits appearing on invoices by simply enabling one option in admin config. Learn more
BitPay.com payment gateway
BitCoin digital currency gains popularity, start accepting payments in BitCoins now with BitPay payment gateway for HostBill. Learn more.
Full changelog available at http://hostbillapp.com/changelog
Within last few hours we’ve been notified by external auditor about SQL Injection vulnerability found in current HostBill releases.
As 4.0 version is ready it also includes patch for this problem. Please update at your earliest convenience, before vulnerability details become widely known. We recommend using auto-upgrade plugin, to make sure you’re always up-to-date with recent updates/patches.
So whats new in HostBill 4.0.0 ?
Reports in HostBill
HostBill always had nice-looking and insightful graphical statistics, but we realize that sometimes numbers looks better printed, or are even required in this representation. Make sure to check flexible new reports, allowing for drag & drop output adjustments, multiple output formats (HTML,CSV,PDF,TXT & more) & easy report criteria modification in HostBill 4.0
Learn more at http://blog.hostbillapp.com/
New Orderpage: Smart Wizard
Created to sell more with each well-designed step this orderpage is another amazing item on our rich collection
Check this, and another available orderpages at http://hostbillapp.com/features/order-pages.php
Full changelog available at: http://hostbillapp.com/changelog/
Within last few hours we’ve been notified about potential LFD security threat that affects HostBill installations, caused by one of used libraries.
Although its severity really depends on server configuration we cannot leave our users at risk – we take security very seriously.
Download patch from here: http://hostbillapp.com/clientarea/patches/hostbill_patch3.8.0_3426.zip (for version 3.8).
Patching process is simple – extract archive contents in main HostBill directory, no db updates/install is required.
HostBill 3.8.0 archive available in our clientarea has also been patched, please upgrade to latest version if you’re using < 3.8
Whats new in HostBill 3.1.2 ?
Translation tags – simple yet powerful tool to make your favourite billing system 100% multilingual – learn more
OnApp Cloud selector – if you have more than one cloud installation – HostBill is right billing system for you! Now you can give your customers ability to select cloud during checkout with automatic provisioning still working – learn more
Note: We’ve decided to release HostBill 3.1.2 sooner than expected (by exactly 2 days), as a result of potential security issue detected. Problem may apply to HostBills not secured after initial installation and using built-in HostBill ticketing system.
We apologize for the inconvenience – please upgrade.
Install / upgrade:
HostBill 2.x security patch.
Last night one of our client notified us about potential security threat affecting HostBill versions 2.x, which may allow to access admin area with previously stolen session cookie.
Please download this patch as soon as possible: https://hostbillapp.com/clientarea/index.php?cmd=module&module=downloads&file=11
To apply patch please extract archive contents in your HostBill directory, or upload its contents directly to your install (there is only one file that requires overwriting).
We’re not aware of any installation compromised other than reported last night.
If you have questions or any concerns please feel free to contact us. We do apologize for any inconvenience.
Note: 2.8 version download package contains this patch by default from now on, 2.9 version that is scheduled to release next week will also contain it.