So I was recently reminded (thanks @Spencer) that if you call any WHMCS .php with ?licensedebug&forceremote, you get back some info that frankly I'm not wild about giving out. For example:
Performing Remote Check: Array ( [licensekey] => MYLICENSEKEY [domain] => MYDOMAIN [ip] => MYIP [dir] => /home/SOMEUSER/public_html ) Raw Remote Response: Active MY_WHMCS_RESELLER 2 Monthly Lease DATE_LEASED Monthly MYDOMAIN MY_IP /home/SOMEUSER/public_html SOME_HASH MY_WHCMS_VERSION Remote Check Completed
Some of that is obvious public - domain name, IP address. I don't think WHMCS version is, and why give it out? Also, the absolute path on the server (/home/SOMEUSER) is needlessly exposed, as is the name of the company I leased WHMCS through, etc.
Nothing really OMG but when in doubt, why needlessly expose?
I looked and apparently the licensedebug is in ioncube'd code:
# grep -R licensedebug * #
So you can't modify the php directly...which means an alternative is to create a mod_security rule that blocks that. In this case, here is what I put in:
# don't allow people to see whmcs sensitive configs SecRule ARGS_GET_NAMES licensedebug phase:2,block,id:102
This results in
Not Acceptable An appropriate representation of the requested resource /index.php could not be found on this server.
Curious if this is the best way to do this or if I'm going to break something else in WHMCS.