BoxBilling with Virtualmin GPL

shillongserver · May 3, 2021, 6:58pm

I’m thinking of giving BoxBilling a try on a spare server and was wondering if it would work with Virtualmin GPL or would it need the reseller feature available in Virtualmin Pro to work?

calport · May 4, 2021, 12:20am

I had used Boxbilling with Virtualmin a long time ago. It works fine with Virtualmin GPL. However, an ethical hacker was able to deface the subdomain on which I had Boxbilling installed, for the version of Boxbilling which was available at that time.

shillongserver · May 4, 2021, 8:54am

Hey there Niel,

That is worrying. Any chance I can get some info on how this was done? Was the exploit found in BoxBilling itself or in the BoxBilling module for Virtualmin?

Regards

calport · May 4, 2021, 9:52am

I did not bother to get from the ethical hacker information about which vulnerability he used to access the system and this was more than a year ago but you could contact him via Twitter and ask, if you wish to do so.

I feel it was due to a vulnerability in BillingBox and not the Virtualmin module for BillingBox.

safestore · June 4, 2021, 11:28pm

BoxBilling didn’t have an effective development team for a few years. No wonder a hacker was able to find vulnerabilities a year ago. The new team only took over about a year ago, maybe less.

Their updating and upgrading is still in Beta. It is not ready yet. When the first full release since, I think, 2012, comes out it should be worth testing.

calport · June 5, 2021, 12:32pm

You mean 2022, @safestore?

safestore · June 5, 2021, 1:05pm

I’d hope to see something concrete before then, @calport. But they did inherit a massive “to do” list so it wouldn’t surprise me. You’d need to follow it closely to estimate how many actual developers in the team and what progress they are making. I simply have a quick look on their github presence from time to time so not following it closely at all.

But you say the hacker was able to deface the subdomain. What, exactly, do you mean by that? It doesn’t sound from your description as though he hacked into BoxBilling at all.

The devs have acknowledged from the start that they’ve taken on a security collander and fixing that was among their first priorities. But BB (or any other innocent package) shouldn’t be accused of responsibility for breeches elsewhere in a system.

safestore · June 5, 2021, 1:18pm

No, @calport I mean 2012. That was the latest stable release IIRC but it may have ben a bit later. The new team may well be absolutely genious (in fact I ave no idea of their capabilities), but even they couldn’t issue a 2022 release in 2021. Sorry.

system · August 4, 2021, 1:18pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.