WHMCS Still have security issues? I found This

Megahosting

A few minutes some person was register in my site and put this in the personal data.

Client ID: 2467 - Innocent baba has requested to change his/her details as indicated below:

First Name: 'Innocent' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'
Last Name: 'baba' to '1'
Company Name: 'asdfasdf' to '1'
Address 1: 'aad' to '1'
Address 2: 'adfa' to '1'
City: 'aaaaaa' to '1'
State: 'Berlin' to '1'
Country: 'DE' to 'US'
Phone Number: '01 1111111111' to '1'
Default Payment Method: '' to ''

JamesOakley

Looks like someone trying to exploit one of the vulnerabilities that has come to light in the past few weeks but has since been patched. There's no reason to think this is a new issue, unless anyone else spots anything new about this. (Just because people are trying to exploit a vulnerability, it doesn't mean WHMCS is still vulnerable to it - it just means their attempt will fail).

Are you running 5.2.10?

Projectpop

phew! i thought it was another new exploit..

NickGH

That's a relief...

Megahosting

yes im running the lastest. Still no answer from whmcs team about that> @JamesOakley said:

Looks like someone trying to exploit one of the vulnerabilities that has come to light in the past few weeks but has since been patched. There's no reason to think this is a new issue, unless anyone else spots anything new about this. (Just because people are trying to exploit a vulnerability, it doesn't mean WHMCS is still vulnerable to it - it just means their attempt will fail).

Are you running 5.2.10?

BlazeMuis

I have people doing this all the time, nothing will happen (i hope..)

tuguhost

nothing would happen
that user try to exploit bugs on 5.2.8 version. if that bugs success his firstname would change to all your whmcs admin username, email and password

Megahosting

WHMCS answer no problem and i need ban that ip address for security LOL

@tuguhost said:
nothing would happen
that user try to exploit bugs on 5.2.8 version. if that bugs success his firstname would change to all your whmcs admin username, email and password

sman

Why not just disable the changing of the name? Shuts down any possiblility of this or modified similar exploits from working. I think they have to register a legit looking name first otherwise it doesn't get past the internal checks.

tchen

@sman said:
Why not just disable the changing of the name? Shuts down any possiblility of this or modified similar exploits from working. I think they have to register a legit looking name first otherwise it doesn't get past the internal checks.

Why just name? Any updatable field works judging from the old code.

sman

As far as I know you have to have they key statement in the first name field.

perennate

The vulnerability is on the update query creation function, not on updating the first name. While the specific exploit code released relies on changing account details, the vulnerability can still obviously be exploited in other parts of the code that use any sort of user input.

Of course, you might not be able to get user details. But you'd still be able to update all tickets if you use the exploit when opening a ticket, etc.

If you only care about blocking script kiddies then restricting changing of client information is okay. But if you're serious about security then that's a ridiculous attack prevention mechanism, although it'd still certainly curb down the chance of an attack a lot if localhost.re continues to use firstname updates in their proof of concepts.

sman

@perennate said:
The vulnerability is on the select query creation function, not on updating the first name. While the specific exploit code released relies on changing account details, the vulnerability can still obviously be exploited in other parts of the code that use any sort of user input.

Guess you should tell that to all the people banging away at my WHMCS installs trying to change the first name then giving up when they find out they can't. Not a single person has tried to add it to a different field. What does that prove? Not much but a lot more then your statement proves.

So once again. Show me the proof to back up your claims.

perennate

@sman said:

The nature of the exploit makes it obvious to anyone who knows a bit about web application security and/or SQL injections that it can be used in the same way on other queries. If you're at all serious about security you should be more concerned with verifying that an application is secure rather than verifying that it is insecure.

jmginer

Same here

perennate

@jmginer said:
Same here

[email protected]

cubixcloud

@sman said:
Why not just disable the changing of the name?

We had someone weeks back signup and put false data in but turns out was a legit customer. They simply wanted to hide their identity. However, we directed them to our TOS/AUP and they corrected their profile.

It is probably best for everyone to simply lock client fields for the time being. I am curious about what the future holds for WHMCS.

sman

@perennate said:
The nature of the exploit makes it obvious to anyone who knows a bit about web application security and/or SQL injections that it can be used in the same way on other queries. If you're at all serious about security you should be more concerned with verifying that an application is secure rather than verifying that it is insecure.

If you are "serious about security" why haven't you done any penetration testing?

sman

x

perennate

@sman said: If you are "serious about security" why haven't you done any penetration testing?

We are currently working on an free software billing panel to replace our WHMCS installation.

sman

@perennate said:
We are currently working on an free software billing panel to replace our WHMCS installation.

Until then please share your penetration testing results with the community. We can all use the info from people such as yourself who are "serious about security" because they know how to to google 'SQL injection'.