Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS Silent Exploit?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS Silent Exploit?

SaikuSaiku Member, Host Rep

http://freevps.us/thread-10448.html

Just reposting. (Direct link: http://zoned.pw/?p=9)

Time for a WHMCS Zero Day?

«1

Comments

  • JacobJacob Member

    Hmm.

  • awsonawson Member
    • curtisg
    • domain created today
    • edgy blog post flagged by malwarebytes

    ok

  • vldvld Member
    edited July 2013

    http://img802.imageshack.us/img802/464/baqx.png = image from zoned.pw post.

    good old imageshack vuln: http://img802.imageshack.us/img802/464/baqx.83522d24ee.xml

    <uploader><ip>173.206.93.16</ip></uploader>

    freevps.us owner confirmed that curtisg used that Tor IP to log in/access the forum.

    Thanked by 1awson
  • jakejake Member
    edited July 2013

    When reading that article, the first thing I think about is the localhost.re guy. I dunno why, but I get that vibe that they're the same person.

  • awsonawson Member
    edited July 2013

    @jake said:
    When reading that article, the first thing I think about is the localhost.re guy. I dunno why, but I get that vibe that they're the same person.


    I don't know/care what this pretentious-as-fuck "infosec" bullcrap is, but I highly doubt the localhost.re guy is Curtis.

  • curtisg chats on freevps and is active there. Guess he moved there once vpsboard and LET banned him. I think freevps need to take action as well.

  • perennateperennate Member, Host Rep
    edited July 2013

    The localhost.re guy at least understands English, the zoned.pw clearly doesn't. While zoned.pw tried to emulate localhost.re style (for example with the image), he did a pretty fail job of it :)

    Any idea if the vulnerability is real though?

    Thanked by 1Infinity
  • Nick_ANick_A Member, Top Host, Host Rep
    edited July 2013

    Paraphrasing WHMCS staff: [removed]

    I'll just quote what Matt said:

    "We have been made aware of that website and we are monitoring it for any further postings but at this time, what has been posted is not details of an exploit. The user makes some kind of reference to globals not being necessary which is incorrect, and then goes on to reference one of the functions used in sanitizing user input in WHMCS, but doesn't provide any valid way of using that to exploit a WHMCS installation in the real world. Please rest assured that we always take security seriously, and will continue to monitor and respond as necessary to any new information."

  • MaouniqueMaounique Host Rep, Veteran

    Yes, rest in peace, errr, assured, our code has no bugs.

  • perennateperennate Member, Host Rep
    edited July 2013

    Well if the alert works then clearly it can be exploited to run less benign Javascript code... say, one that suspends all accounts.

  • fapvpsfapvps Member

    Aww say it ain't so.....

  • If you disable JavaScript while in the ticket area as an admin, the issue shouldn't be as bad. At least from what I can tell.

  • SaikuSaiku Member, Host Rep

    shrugs
    so like idk curtisg posted another "exploit"
    http://zoned.pw/?p=27

  • vldvld Member
    edited July 2013

    So curtisg decided to run a PHP analyzer on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.

    Can he be more lame than this? Seriously, classic script kiddie stuff.

    Curtisg, if you do infosec like you claim to, why can't you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?
    The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful :)

  • @vld said:
    Can he be more lame than this? Seriously, classic script kiddie stuff.

    ^

    Waiting to see who shuts down their WHCMS first.

  • dnwkdnwk Member

    Actually, I don't quite understand how that bug is. Expect, I think Magic Quote is depreciated!

  • Anyone shutting down WHMCS because of this?

  • SaikuSaiku Member, Host Rep

    http://freevps.us/thread-10453-post-122138.html#pid122138

    curtisg claimed to have no part on this xd.

  • @BenND said:
    Anyone shutting down WHMCS because of this?

    GetKVM did

  • jakejake Member

    @MiguelQ said:
    GetKVM did

    Works here.

  • @jake said:
    Works here.

    Are you sure? Check here

  • InfinityInfinity Member, Host Rep

    @MiguelQ said:
    Are you sure? Check here

    Or maybe not ;-)

  • perennateperennate Member, Host Rep

    Seems like the exploit would only work if some HTML tag uses ='' instead of ="" for attributes. But all the tags seem to use double quote. Of course, both are valid HTML.

  • He's not crazy, we did shut our corporate webserver down last night as it was late and there was no information released from WHMCS at the time. I didn't want to take any chances whilst I wasn't around to keep track of what was happening, what with all the problems of late with WHMCS/SolusVM.

    http://us7.campaign-archive2.com/?u=c83ad39e562ce08576192372b&id=daa6b8c967&e=[UNIQID]

  • @GetKVM_Ash

    Did you look at the exploit or just go into lockdown mode without thinking?

  • We contacted WHMCS and they said it was fine.

  • @Spencer said:
    GetKVM_Ash

    Did you look at the exploit or just go into lockdown mode without thinking?

    I looked at it, but it doesn't mean much to me since I'm not a PHP coder by any stretch of the imagination, i mean i know bits but nothing major.

    After all the recent problems, i just thought to myself i either lock it down and get a good nights sleep, or leave it open for somebody to attempt whilst I'm not around (If its a legitimate problem) and end up too late to the show as we've seen happen over the last few weeks..

  • "We don't endorse this website, nor recommend you visit the link BUT HERE YOU GO ANYWAY"

    Seems like one giant overreaction tbh.

  • @MrObvious said:
    "We don't endorse this website, nor recommend you visit the link BUT HERE YOU GO ANYWAY"

    Seems like one giant overreaction tbh.

    And you're entitled to your own opinion good sir.

  • @GetKVM_Ash said:
    And you're entitled to your own opinion good sir.

    AND MY OPINION IS THAT MY OPINION IS ALWAYS RIGHT! /sarcasm

    But really though, that line that says "we dont recommend visiting the link" and then directly linking just made me chuckle

Sign In or Register to comment.