On 28th January 2020, a Security Advisory email was sent to WHMCS users with the subject Security Advisory for WHMCS 2020-01-28.

If your web server is serving files located in the /vendor directory,  then you need to take action to harden you system environment. This most commonly occurs in web server environments such as nginx.

To confirm if your web server is serving files located in the /vendor directory, attempt to visit:

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE

Replace https://www.example.com/path/to/whmcs/ with the URL of your WHMCS software installation.

You should expect to see a 403 forbidden error or in some cases a 404 not found error.

If license text is displayed or a file download starts, then you should take steps to disallow access to the /vendor directory.

The solution depends upon your web server environment and various configurations.

If you are unsure which server environment you are using, this can often be determined by these steps:

1. Login into your WHMCS Admin Area
2. Navigate to Utilities > System > PHP Info
3. Scroll down to the SERVER_SOFTWARE variable
4. Typical values include APACHE, ngnix or Litespeed

Once the type of environment has been identified. Follow the steps for that server type in this document: https://docs.whmcs.com/Security_Advisory_2020-01-28#How_to_fix_the_vulnerability