Security Advisory – HostBill version 2013-12-14

We’ve just released security update for HostBill, as a response to potentially dangerous XSS Vulnerability.

Applying update
To apply security update please download and update HostBill to the lateste 2013-12-14 version.
You can also use our auto-upgrade plugin to perform this automatically.

Upgrading to new version: https://hostbill.atlassian.net/wiki/spaces/DOCS/pages/491585/Upgrading+to+new+version
Using auto upgrade plugin: https://hostbill.atlassian.net/wiki/spaces/DOCS/pages/491588/Auto-Upgrade+plugin

We believe that this vulnerability is not known to the public. Its severity depends on admin area protection.
KBKP Software always encourages our clients to take extra steps for protection:
https://hostbill.atlassian.net/wiki/spaces/DOCS/pages/1212438/Security

Big thanks to team Rack911 (https://www.rack911.com/) for identifying and reporting this problem.

Security Advisory – HostBill versions 4.x

In the last couple hours we’ve released patch for HostBill versions 4.x available from auto-update plugin and to download directly from:

https://hostbillapp.com/clientarea/patches/hostbill_patch4.6.4_4347.zip

For manual patch apply please extract archive contents in main HostBill directory.
We strongly recommend upgrading to the latest HostBill version (4.6.4 – archive also contains patched files)

Patched vulnerability
We’ve been notified about brute-force attack possible to be performed by logged in customers into other client’s accounts.

Patch was introduced immediately for auto-upgrade feature.

Important Security Patch Released

We’ve been notified about dangerous security threat found in one of HostBill files.
Severity depends on server configuration. We cannot leave our users at risk – we take security very seriously.

Download patch from here: https://hostbillapp.com/clientarea/patches/hostbill_patch4.6.0_4324.zip (for versions 4.4.0 and UP)

Please extract this patch in main HostBill directory. It is also available in auto-update plugin.

Version 4.6.0 available in downloads section has also been patched, so if you’re using older version it’s advised to upgrade to the latest version.

Information about price/modules changes in 4.6.0 release for current customers

Dear customers,

We’re quite aware that our recent changes in billing model/platform may have caused unintended confusion – we’re here to straighten it up.

Pricing/renewal fees:
All changes in pricing/renewal fees are for new customers only. HostBill respects “grandfather rights”.
If by accident you did not receive what you’ve paid for (renewal fee shows as different, your access to download shows as expired), please contact Licensing Department.

Paid Live Chat/Vies Plugin
You’re still free to use mentioned modules – those become paid for new customers only.
Bug fixes will be provided in future for both free and paid versions. New features will be introduced for paid versions.

Premium orderpages / client area themes
Update to the newer version does not remove orderpages that came with your HostBill when you bought it or with updates up to the recent version.
This means that you still are good to use orderpages you’ve bought with your HostBill.
Prices for orderpages listed as premium/paid are for new customers only.

Developer toolkit access
Access to dev toolkit is available for old customers only (anyone who signed up before 2013-05-24)

By new customers – we understand clients that signed up after 4.6.0 release (2013-05-24)

Update: 2013-05-28

Frequently Asked Questions:
Q: I purchased license a year ago, do I still have access to all orderpages and client themes that came with my HostBill 4.5.8
A: Yes. All orderpages released prior to 4.6.0 are included in download package for customers who purchased HostBill before mentioned release

Q: Will I get new HostBill features/improvements/bug fixes?
A: Yes. All free core features, improvements and bug fixes are released weekly, as before.

Q: Do I have access to my HostBill’s API?
A: Yes. Access to API and hooks, template and orderpage modifications is not limited!

Q: I signed up before 4.6.0 release, if I download new version are orderpages that I previously used going to be there?
A: Yes. You have access to what you’ve signed up for.

Q: Can I develop my own extensions or use third party modules?
A: If you’ve signed up before 2013-05-26 (TOS/License update) than YES.

HostBill 4.5.0 Release

New version of HostBill is available, next to exciting developer updates we’ve introduced two modules you might find useful:

Extended Fraud Protection
A Web-Hosters community powered fraud protection module. Next to standard HostBill fraud prevention you will also gain access to HostBill’s webhosting fraudsters IP database – to lower risk of fraud and chargebacks.

Learn more at http://hostbillapp.com/features/apps/fraudextended/index.html

SMS Verification Plugin
Verify your client’s identity and phone numbers with this simple, yet powerful plugin – use built-in sms notification plugin (or easily build your own) to send client area PIN protection code after signup.

Learn more at http://hostbillapp.com/features/apps/smsverification/index.html

For full changelog visit http://hostbillapp.com/changelog

HostBill 4.4.4 Release

Friday? So time for another exciting HostBill developments.

New orderpage:
Our new client area theme stands out with its modern design approach – we went extra mile and created new orderpage to match its unique style. Introducing Volume Slider orderpage – make sure to see its video preview!

More about HostBill orderpages: http://hostbillapp.com/features/order-pages.php

Major IPAM improvements:
Popular IP management plugin for HostBill, IPAM, just got better – check out the new features at https://hostbillapp.com/feature/ipam-ip-address-manager-overview/

For full changelog visit: http://hostbillapp.com/changelog

HostBill 4.4.2 Release

Friday – time for another HostBill release. With 4.4.2 we’re introducing couple of new modules, you should definitely check out:

Plugin: Ticket Related Service
While opening support ticket your customer will now be able to define which of his services the support message is related to. Admin section of ticket related service plugin will display it on the top of the page for staff convenience.

Full changelog available at http://hostbillapp.com/changelog

HostBill 4.3.6 Release

Another week passed, and another handful of reasons why to choose HostBill as the automation platform of your hosting business. With this version we’re introducing:

Plugin: Services per client
Scenario: you’re running a promo with free trial service. Rather than monitoring your customers not to overuse promotion – set number of packages one customer can purchase with this handy plugin.

Learn how to use it at http://cdn.hostbillapp.com/jvideos/limitedservices.html

{attachment} tag in email templates
Want to automatically send some files in your custom email notifications (ssh keys, documents, SLA papers), or attach PDF invoice to email reminders? It’s not only possible but also very simple with HostBill.

Read more about it in our wiki at https://hostbill.atlassian.net/wiki/spaces/DOCS/pages/492052/Email+templates+Email+template+attachment

Full changelog available at http://hostbillapp.com/changelog