# Is WHMCS next to be exploited?



## MannDude

From here: http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/#comment-121284

Everyone should be on high alert.

EDIT 1: This was posted on LEB


----------



## netnub

You might want to include a exact address: http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/#comment-121284


----------



## Otakumatic

They just posted the hostbill source. Confirm?

Pic:


----------



## netnub

Otakumatic said:


> They just posted the hostbill source. Confirm?


Oh, its legit.


----------



## SeriesN

What is the registration exploit? What it does?


----------



## netnub

SeriesN said:


> What is the registration exploit? What it does?


I believe so


----------



## netnub

From LEB:

http://www.lowendbox.com/blog/a-days-recap-solusvm-exploit-released-ramnode-downtime-and-robert-clarke/#comment-121289


----------



## SeriesN

netnub said:


> I believe so


Can you please pm me the after effect of this exploit?


----------



## Tux

This skid means srs bsns.


----------



## maounique

Well, if the exploits are genuine, then good job !

It is time to get those ppl to switch from devious plans to "update" pricing and conditions while "securing" the code with encryption schemes which are insecure themselves, to actually solve the bugs.

If posting the exploits in public is the only way to do so, then I say, go for it !

I am sick and tired of "audits" that dont do s**t and more denials playing with customer's businesses just because they can and dont give a damn about anything else than "piracy protection" and money.


----------



## johnnyd95

Tux said:


> This skid means srs bsns.


Yeah, that skid is me and Curtis G if you havent figured it out by now.


----------



## SeriesN

johnnyd95 said:


> Yeah, that skid is me and Curtis G if you havent figured it out by now.


Proof of your involvement?


----------



## Tux

johnnyd95 said:


> Yeah, that skid is me and Curtis G if you havent figured it out by now.


Haven't been connecting the dots 

Anyway, I still think that there needs to be a good open source billing and control panel solution. This has just shown that the closed-source stuff is not worth it anymore.


----------



## trewq

Truthfully I just typed up a huge rant about everything that is happening right now but it turned out to be very unprofessional so I made a wise choice and didn't post it.

My whiteboard is now full as I plan to make a new panel for billing and OpenVZ. WHMCS and SolusVM give too much flexibility leaving way too much room for error.


----------



## Mr. Obvious

why do we not have a opcorn: smiley?


----------



## texteditor

Shit, we might as well make a week of it and get all these shitty PHP products released at once


----------



## MannDude

Mr. Obvious said:


> why do we not have a opcorn: smiley?


We do, now.


----------



## peterw

opcorn:


----------



## johnnyd95

Me and Curtis G are releasing 0day vun for hostbill and whmcs in 2 days on Friday at noon 12pm est.


----------



## netnub

johnnyd95 said:


> Me and Curtis G are releasing 0day vun for hostbill and whmcs in 2 days on Friday at noon 12pm est.


First, I have no part in this with you.

Secondly, Curtis G and I* are releasing zero-day* vulnerability* for HostBill* and WHMCS* in 2 days on Friday at noon *

Thirdly, if you keep including me in your bullshit, I will be calling the police.


----------



## MartinD

netnub said:


> First, I have no part in this with you.
> 
> Secondly, Curtis G and I* are releasing zero-day* vulnerability* for HostBill* and WHMCS* in 2 days on Friday at noon *
> 
> Thirdly, if you keep including me in your bullshit, I will be calling the police.


Are you for real?

You're going to call the police?

Actual. Fucking. LOL.


----------



## JDiggity

MannDude can we ban johnny and his ip?  He is a worthless pile.  Steals his moms credit card,  I am not sure he is even supposed to be on websites related to this type of information.


----------



## johnnyd95

netnub said:


> First, I have no part in this with you.
> 
> 
> Secondly, Curtis G and I* are releasing zero-day* vulnerability* for HostBill* and WHMCS* in 2 days on Friday at noon *
> 
> 
> Thirdly, if you keep including me in your bullshit, I will be calling the police.


Stop denying your part of it, we had this planed out for months. You gain trust from the community, then hack RamNode allowing them to blame robert, then release 0day exploit attacking CVPS, then according to our plan I join, and we tell everybody whats to come.


----------



## MartinD

24khost said:


> MannDude can we ban johnny and his ip?  He is a worthless pile.  Steals his moms credit card,  I am not sure he is even supposed to be on websites related to this type of information.


Let's see what happens. They appear to be as bad as each other. Some timeout for both might be around the corner.


----------



## AnthonySmith

Said it once and I will say it again, this sort of crap should come with a minimum 2 year jail term, if you break in to an insecure door on a store and then make it impossible for the store to operate you will go to jail and be paying back damages for the best part of your life, just because you can sit behind a computer and destroy lives and business does not make things any less real.

The world needs to sack up and do something to serious deter this sort of thing, I used to be all about respecting privacy on the internet but when so many people are out to hurt others for nothing more than bragging rights it is just playing straight in to the hands of those that would seek to take away privacy on line.and frankly they would have my vote if it stopped the majority of this BS.


----------



## Reece-DM

How does posting a SS of the source code prove there an vuln in it?

Anybody can decode WHMCS jesus there is  numerous copies scattered about the internet over the years.

Please stop this stupidity.


----------



## JDiggity

*@**AnthonySmith* Can we go back to the old days and just string them up?


----------



## AnthonySmith

24khost said:


> *@AnthonySmith* Can we go back to the old days and just string them up?


I think we just need a bounty site.

Example of how it works:

Ramnode got hacked so they post all logs and information , links and background and net loss including man hours spent etc.

Then people contribute in a kick starter style, the higher the price the more interest in finding the responsible person and the person that is directly responsible for providing the information that leads to the punishment through law or the ass kicking of a life time (injury must be permanent e.g. smash knee caps, fingers taken) gets 50% of the money and the other 50% goes to the victim but only on either the on line posting of the ass kicking or the confirmed arrest.

Seems fair to me and as much as that may sound funny I would absolutely back it 100%


----------



## JDiggity

Count me in.  Even though in the US that might turn out to be illegal!


----------



## AnthonySmith

24khost said:


> Count me in.  Even though in the US that might turn out to be illegal!


Meh... Register the organisation is Russia, if people decide to act on it in the USA then that is on them


----------



## JDiggity

Can we just hire the russian mob to take care of everything then?


----------



## AnthonySmith

24khost said:


> Can we just hire the russian mob to take care of everything then?


That would be illegal.


----------



## JDiggity

not if we hire them with a russian based company.


----------



## AnthonySmith

24khost said:


> not if we hire them with a russian based company.


Well we can invite them to take part I suppose, no harm in that.


----------



## jarland

johnnyd95 said:


> Yeah, that skid is me and Curtis G if you havent figured it out by now.


I really appreciate you guys shutting down my business for a week. Me and Ryan both out of town, myself on very bad Internet and no cell signal. Don can only be expected to stay awake so much. This was an unusual week as I work one job out of town every year and Ryan went to hostingcon. Regardless, you two are the cause of much stress, suffering, and financial loss this week. Our clients are as safe as we can make them (Internet, "safe" is a relative term), can't say the same for our physical and mental well being right now.

I hope you're both real proud. I just want you to know that I really appreciate the fact that this week I'm audio engineer, videographer, and I have to play sys admin at night now so I'm literally getting sick from lack of sleep. Much appreciated. Wish you'd picked another week.


There are people on the other side of that screen you know.


----------



## netnub

opcorn:

From LEB:


----------



## HalfEatenPie

jarland said:


> Don can only be expected to stay awake so much.



Red Bull gives you wings!

Also might be why I was on this forum so much during the last couple of days, 4-5 hours a nightish sleep (semi-uneasy sleep really, waking up every once in a while to check), no DRINKING (maybe a beer or two here but no "drinking" drinking).  And IRC.  And Skype.  We did prepare for it though!  

HalfEatenPie with no alcohol is like...  Earth with no water.


----------



## Flapadar

I don't think whoever posted that on LEB knows what XSS is. Causing the hostbill login to run a script in your own browser isn't exactly an accomplishment. 

If it can run in someone else's, sure; good game. Pat yourself on the back. Doesn't look like it though.


----------



## nunim

Why aren't these people banned from VPSB?  I didn't think we were a skid friendly community.   Both hostbill and WHMCS unencrypted sources are available from a variety of sites, if you have an exploit and you're going to cause "lolz" then go for it and shut the fuck up about it already.


----------



## johnnyd95

MartinD said:


> Let's see what happens. They appear to be as bad as each other. Some timeout for both might be around the corner.


Curtis G and I thought about stopping..., cant get rid of us yet


----------



## johnnyd95

jarland said:


> I really appreciate you guys shutting down my business for a week. Me and Ryan both out of town, myself on very bad Internet and no cell signal. Don can only be expected to stay awake so much. This was an unusual week as I work one job out of town every year and Ryan went to hostingcon. Regardless, you two are the cause of much stress, suffering, and financial loss this week. Our clients are as safe as we can make them (Internet, "safe" is a relative term), can't say the same for our physical and mental well being right now.
> 
> 
> I hope you're both real proud. I just want you to know that I really appreciate the fact that this week I'm audio engineer, videographer, and I have to play sys admin at night now so I'm literally getting sick from lack of sleep. Much appreciated. Wish you'd picked another week.
> 
> 
> There are people on the other side of that screen you know.


Thank you, Curtis G and I worked hard to make it happen. opcorn:


----------



## johnnyd95

nunim said:


> Why aren't these people banned from VPSB?&amp;nbsp; I didn't think we were a skid friendly community.&amp;nbsp;&amp;nbsp; Both hostbill and WHMCS unencrypted sources are available from a variety of sites, if you have an exploit and you're going to cause "lolz" then go for it and shut the fuck up about it already.


You want Curtis G, and me banned? Put up a poll asking if Curtis G and m should be banned. If the majority of the forum thinks that, then ban us. opcorn:


----------



## shovenose

johnnyd95 said:


> You want Curtis G, and me banned? Put up a poll asking if Curtis G and m should be banned. If the majority of the forum thinks that, then ban us. opcorn:


I think banned these people, no matter how annoying, will not help. It might be somewhat helpful to have them here.


----------



## jarland

shovenose said:


> I think banned these people, no matter how annoying, will not help. It might be somewhat helpful to have them here.


No it won't. They only want attention. They're feeding off the "lulz" here so deprive them of that by banning every new name they make and encouraging hosts to deal with these matters quietly so long as clients are not directly impacted. They are nothing more than children who demand to be heard. I hope one day they grow up and realize that the world doesn't revolve around them, but until then I'd settle for everyone effected filing civil lawsuits for lost income when they step over the line. Sure it's expensive, but kids need to learn. With that said, they'll no longer be acknowledged by me, Ryan, or Don as a part of Catalyst Host. We don't negotiate with skids. Anything further that we have to communicate to them can be done by certified/registered mail, should any reason present itself.


----------



## XFS_Duke

Thanks for banning johnnyd95...


----------



## Magiobiwan

Now to ban netnub too.


----------



## netnub

Magiobiwan said:


> Now to ban netnub too.


For what? Making your security better...


SolusVM, WHMCS, Hostbill are at fault here, not me. I simply abuse the software and find the exploits, I don't develop their shit software.


Its your fault for using the horrible the software in the first place. In my "defense", I used my best-efforts to contact the developers, was ignored. Therefore they're stupid for ignoring me.


As for you Jarland, I really have nothing to say to you, besides without people like me you wouldn't understand the concept of security. If we're going to bash people who expose vulnerabilities, why don't we blame every security researcher/exploiter on the internet; too many to count.


As for suing people, thats just pure out bullshit. The fact you want to sue the person who disclosed them is pure stupidy, you should be sueing the companies for not understanding the concept of security. I really hate when people like you want to say you can sue anyone for any reason, as that just doesn't work for me. You can't simply sue people for assisting in finding security issues.


As for all the companies like SolusVM, WHMCS,hostbill,spbas,etc. that think they're safe, well they're not. They will never be, as long as they still rely on encoders to make them 'un-exploitable' then people will decode + find vulnerabilities and then expose them.


No matter how much you want to deny what I've said here it'd be very hard for you to do that as its all facts that I'm posting. I was asked multiple times to contact them first, so I did, I even showed proof! Then I disclosed some, hell even Humza(Infinity on LET) gave them proof of vulnerabilities, however in a blog post they denied that noone sent them anyone.


Unless companies take credit for they're mistakes then they'll never learn. Now I'm not going to say you can never be 100% "unhackable", because anything written by people can be exploited, reverse engineered, etc. For example, SolusVM knows what it has to do because someone told it what to do in lines of code, however they f**ked up majorly by not sanatizing the variables.


Therefore, referring to the point above, the company who developed the commerical product is at fault, not the security researchers.


Now I feel I've ranted enough at 12:05 AM in the morning.


----------



## concerto49

.


----------



## wlanboy

Should it not be the time?

opcorn:


----------



## jarland

Magiobiwan said:


> Now to ban netnub too.


I second this motion.


----------



## titanicsaled

jarland said:


> I second this motion.


 

Yup, it's about time I think.

It just shows that he hasn't changed at all since his amazing contributions to LET.


----------



## Marc M.

jarland said:


> I second this motion.


*@**jarland* netub posted this thread a while back asking about needing a DDoS protected server: http://vpsboard.com/topic/495-251gbs-attack-incoming-flood-advice/?hl=ddos

... just to see how many providers would jump at offering him something; then he started sending private messages to providers, including myself, asking them if they would want to resell DDoS Protection Services from HostKVM.net. I mean why in God's name would I want to do that when we already provide DDoS mitigation for free, and we can also provide IP filtering for a price, all of which is built into our DCs infrastructure.

I'm for banning him as well. Such behaviour is unacceptable and bellow the standards of vpsBoard IMHO.


----------



## MartinD

Oh boy - here goes



netnub said:


> ..a lot of bullshit





> For what? Making your security better...
> SolusVM, WHMCS, Hostbill are at fault here, not me. I simply abuse the software and find the exploits, I don't develop their shit software.


Please share with the community where exactly you made anyone's security better and how fault lies solely at the feet of these software vendors. We'll touch back on this in a moment.



> Its your fault for using the horrible the software in the first place. In my "defense", I used my best-efforts to contact the developers, was ignored. Therefore they're stupid for ignoring me.


Wrong, once again. You didn't use any 'best-efforts' to contact the developers. You submitted a ticket and used their contact form with a ridiculous title relating to their clock ticking away.. and that if they didn't reply you would release some information (of which no-one has seen anything of any value)



> As for suing people, thats just pure out bullshit. The fact you want to sue the person who disclosed them is pure stupidy, you should be sueing the companies for not understanding the concept of security. I really hate when people like you want to say you can sue anyone for any reason, as that just doesn't work for me. You can't simply sue people for assisting in finding security issues.


Suing isn't ridiculous here. Different way to look at it, you put the business of many providers on hold for a day claiming you had 18 vulnerabilities to disclose. What you actually had.. was sweet naff all. Are you going to hold your hands up and apologies to the huge number of providers you caused issues for? Oh, and again, you disclosed nothing.



> No matter how much you want to deny what I've said here it'd be very hard for you to do that as its all facts that I'm posting. I was asked multiple times to contact them first, so I did, I even showed proof! Then I disclosed some, hell even Humza(Infinity on LET) gave them proof of vulnerabilities, however in a blog post they denied that noone sent them anyone.


I'm sure I'm not alone here in wondering where all these facts are. You were asked to contact them first (something anyone with 2 braincells would have done before taking their 2" hardon public) but you didn't. It wasn't until mid-afternoon you bothered to contact them. You didn't show them any proof at all, you submitted a lame-ass ticket with no information at all apart from, yet again, your raging hardon for attention. You disclosed some? No, again, wrong. You disclosed nothing of any value at all. With regards to Humza, you should probably speak to him again about that - your wires are quite crossed there. What you provided was a few snippets of code where you used 'grep' to find any instance of 'exec' and treated it as though it was some kind of vulnerability. l33t h4x0r. The blog post was made to confirm that no information relating to any exploits had been given and that was true. Really, what Solus should have done is write a blog post saying "Some kid with a hardon is going around trying to scare providers. Being responsible, we're looking in to all of the code to see if any of this is true. Unfortunately, said kid is too busy wanking in to an old sock over forum posts to get in touch. We'll continue to look for any possible issues in the meantime."

With regards to security over all, I think we should cast our minds back to the posts on LET where you claimed to be coding a billing system. No, wait, a ticket system. No, wait, a VPS panel. No wait... you get the picture. Each and every one of them was picked apart by the community within minutes because the code was so bad and.... wait for it... full of holes. Our self-proclaimed expert on security here is producing code with more air than Swiss cheese.

All you've done on this forum is cry wolf, make bold claims with no proof and prove yourself to be incredibly stupid. You've been rude and disruptive on IRC and you fail to see why people have a problem with you. I would suggest you put the sock away, go outside, play on your go-kart for a while then come back with fresh eyes. No-one here takes you seriously and your attempt to re-brand yourself from "CurtisG" to "netnub" has failed catastrophically. Do us all a favour; grow up.


----------



## peterw

*nethub*:

Trying to blackmail people excludes any just causes. What's your business with SolusVM?


----------



## Daniel

I would also be in favour of netnub being banned. He does nothing but contribute negativity towards this community.

@netnub Stop pretending you are some sort of hero. You are ruining peoples lives.


----------



## MartinD

peterw said:


> Trying to blackmail people excludes any just causes. What's your business with SolusVM?


My business? I'm a customer and a provider that was affected. I'm also a reasonable guy that can't tolerate idiots.


----------



## peterw

Sorry MartinD. I thought I had quoted nethub. My statement was for nethub and not for you!


----------



## MartinD

No worries - just clearing that up


----------



## netnub

I could honestly care less if I "ruin lifes", I can make them a living hell and I wouldn't give a fuck.


----------



## Aldryic C'boas




----------



## netnub




----------



## blergh

Jokes on you.


----------



## Otakumatic

TL;DR

What the fuck happened last night?


----------



## Magiobiwan

@MartinD I was going to write up a response like that to his statement, but it's such a pain to write a long reply on my phone. And your post hits everything I would have said too


----------



## ShardHost

netnub said:


> I could honestly care less if I "ruin lifes", I can make them a living hell and I wouldn't give a fuck.


Could or couldn't ?


----------



## anyNode

...aaaand it seems WHMCS was next to be exploited.


----------



## rds100

anyNode said:


> ...aaaand it seems WHMCS was next to be exploited.


Mmm? Have i missed something?


----------



## kaniini

He is probably referring to this: http://www.localhost.re/p/solusvm-whmcs-module-316-vulnerability

I don't think it counts specifically as a WHMCS vulnerability, but instead more proof that SolusVM is malware.


----------



## rds100

Yes, it is not WHMCS bug, it is SolusVM bug, which can also be argued about. It could be considered a libcurl bug.


----------



## willie

1. A patch for curl is pending--see the bugs page for curl on sourceforge.  The patch is to replace the bogo-random string with a harder to guess one (generated by openssl cryptographic prng).

2. I wouldn't completely call this a curl bug, but curl's behavior was suboptimal and the patch will help.

3 As a general principle, input "sanitzation" is doomed to failure and it's better to keep the control and data paths of a program completely separate, so that data doesn't need to be "sanitized" (it can stay dirty).  For example, don't try to escape special input characters before splicing them into an sql query.  Use prepared queries instead, so that the input data never touches the query parser.  Little Bobby Tables will thank you.

4. If you absolutely can't avoid passing user data through some interpretation layer, it's best to encode it so that it can't possibly be parsed as controlling something.  I've sometimes used hexadecimal encoding for this since it's simple and not much can go wrong.  It does require controlling both sides of the communication so that the other side can decode, i.e. it might not have been applicable to this particular attack (though it would have stopped it because of the high likelihood of non-hex chars in the curl-generated separator string).  Using base64 sounds more efficient than hex but I've seen it hit various problems.  But it requires some control over both sides of the transaction


----------



## scv

Even if there's nothing announced right now I'd still be very wary of a WHMCS exploit. It's happened repeatedly in the past and they've proven their code is of very poor quality. If you're going to be using WHMCS you should ensure the machine is really locked down, and preferably isolated on its own VM.


----------

