Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS Security Advisory 2020-01-28
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS Security Advisory 2020-01-28

Just looking for some info.

How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

Comments

  • @Arion4384 said:
    Just looking for some info.

    How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

    I will copy paste exactly what is posted on WHMCS website

    WHMCS ships with a vendor directory which should not be publicly accessible. By default a .htaccess file is provided which in most cases would be sufficient to direct the web server to disallow web based access to files in that location. nginx in particular will not honor that directive.

    We have recently become aware of malicious actors scanning the internet for vulnerable web server configurations that host WHMCS installations. Improperly configured web servers could allow an unauthenticated, remote attacker to access sensitive WHMCS data.

    As a result, we are rating the severity of this issue as critical.

    Focus on the bold content.

    Thanked by 1dustinc
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

  • @FAT32 said:
    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

  • NeoonNeoon Community Contributor, Veteran

    @Arion4384 said:

    @FAT32 said:
    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

    Yea and that PoC likely will land into someone else's hands and he will go around sell or exploit installations that have not been patched.

    Thanked by 1lentro
  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    @Arion4384 said:
    I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

    I don't want to do any form of doxing here, but you know what you did. Pretty sure you have been playing Minecraft for quite long based on the record.

    That is even more suspicious, who offered you a reward? It can't be anyone legit because WHMCS themselves already found it.

    Thanked by 1lentro
  • raindog308raindog308 Administrator, Veteran

    Arion4384 said: Been offered a reward for a successful PoC to gain a shell.

    And of course you immediately said "no, that would be unethical" yet continued to research on your own with the intent of freely sharing your info with WHMCS so they can fix the product...right?

    image

    Thanked by 1lentro
  • lonealonea Member, Host Rep

    Yes, this is exploitable

    Seen it happen. (Not on my install)

  • alright

Sign In or Register to comment.