# New WHMCS exploit (10-18-2013)



## MannDude (Oct 18, 2013)

Not going to post the link to the exploit, but it can be found easily.

May want to pull your WHMCS installs offline. Looks like it can dump admin and member data. Thought it was already posted here but looks like it's in the private provider forum so sharing here too.


----------



## wlanboy (Oct 18, 2013)

Looks like you should shutdown your WHMCS instances again.

Usable via sviewticket.php.



> This opens up a lot of other holes, for example we can write to /configuration.php whatever we want (PHP code included)


----------



## rds100 (Oct 18, 2013)

Might want to merge that 3 threads on the same topic...


----------



## MannDude (Oct 18, 2013)

rds100 said:


> Might want to merge that 3 threads on the same topic...


Woops.

Only two are public. I'll merge those. The one with the link in it is in the provider hangout and is only visible to providers.


----------



## Reece-DM (Oct 18, 2013)

This is getting ridiculous now!

Let's hope no one gets screwed by this.

Not looking for for WHMCS and the cPanel team.


----------



## HostVenom - Brandon (Oct 18, 2013)

WHMCS needs to complete a third party security audit.


----------



## Lee (Oct 18, 2013)

I was under the impression they did get 3rd party audits done, maybe I mis-read that.  They need to find someone else if they are.


----------



## BuyCPanel-Kevin (Oct 18, 2013)

Lol, another exploit? Wow that's pretty bad, I'm curious as to what it is though...


----------



## kaniini (Oct 18, 2013)

BuyCPanel-Kevin said:


> Lol, another exploit? Wow that's pretty bad, I'm curious as to what it is though...


Essentially, they recreated a misfeature of PHP called "register globals".  As a result, it is possible to manipulate the variables state to do an SQL injection.  That's pretty much the tl;dr.


----------



## spry (Oct 18, 2013)

dang! .. /facepalm


----------



## MannDude (Oct 18, 2013)

I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they *warn* you in a manner that is impossible to miss when newly known unpatched exploits are out and about.


----------



## KuJoe (Oct 18, 2013)

WHMCS does not send out any notification regarding security alerts until after the exploit has been verified which is usually when they have a patch for it.

Luckily we have 1 data center that keeps us updated of WHMCS exploits as soon as they hear about them (but the e-mails, PMs, and tickets are still appreciated for those who send them our way).


----------



## NodeBytes (Oct 18, 2013)

MannDude said:


> I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they *warn* you in a manner that is impossible to miss when newly known unpatched exploits are out and about.


No, without the forums and communities I would never know about these exploits.

I'm tempted to drop WHMCS, I don't trust my client's data on it anymore. But their isn't much that compares that's self hosted.


----------



## MCH-Phil (Oct 18, 2013)

Blog post updated, with patch.

http://blog.whmcs.com/?t=80223


----------



## XFS_Duke (Oct 18, 2013)

Awesome.. I just updated 3 installs... Wish that WHMCS would provide multi-company support!!!!!! Oh well...


----------



## ndelaespada (Oct 19, 2013)

Updated! now let's just sit and wait for the next exploit.


----------



## concerto49 (Oct 19, 2013)

It's still broken after the patch


----------



## shovenose (Oct 19, 2013)

concerto49 said:


> It's still broken after the patch


what's still broken?


----------



## DalComp (Oct 19, 2013)

concerto49 said:


> It's still broken after the patch


What is still broken?

What does the "evil" lines do? Just changing to invalid license key or is there any other harm?


----------



## concerto49 (Oct 19, 2013)

DalComp said:


> What is still broken?
> 
> What does the "evil" lines do? Just changing to invalid license key or is there any other harm?


This patch doesn't fix all the problems it seems.


----------



## MartinD (Oct 19, 2013)

...what problems does it fix?

Instead of being cloak and dagger about it, post what you know and the evidence/proof to back it up. Otherwise you're just leaving everyone second guessing which does nothing to help people out.


----------



## trewq (Oct 19, 2013)

MartinD said:


> ...what problems does it fix?
> 
> 
> Instead of being cloak and dagger about it, post what you know and the evidence/proof to back it up. Otherwise you're just leaving everyone second guessing which does nothing to help people out.


If he does that then it is public. I imagine it has been reported to whmcs.


----------



## concerto49 (Oct 19, 2013)

MartinD said:


> ...what problems does it fix?
> 
> Instead of being cloak and dagger about it, post what you know and the evidence/proof to back it up. Otherwise you're just leaving everyone second guessing which does nothing to help people out.


So when someone posts an exploit they get bashed for not keeping quiet and notifying WHMCS instead. Now when someone doesn't post - also get bashed for not telling. Huh?


----------



## Increhost (Oct 19, 2013)

Hope some time just WHMCS pay localhost to make a full code audit,

and give some secure coding teaching to their devs.


----------



## Cloudrck (Oct 19, 2013)

Increhost said:


> Hope some time just WHMCS pay localhost to make a full code audit,
> 
> and give some secure coding teaching to their devs.


If they would bother to read the descriptions that go with the exploits he has posted they could apply fixes to code he hasn't exploited yet. Doesn't seem like they are doing this though.


----------



## apt (Oct 19, 2013)

DalComp said:


> What is still broken?
> 
> What does the "evil" lines do? Just changing to invalid license key or is there any other harm?


The "evil" lines `eval` (haha), allowing for arbitrary code execution.


----------



## MartinD (Oct 19, 2013)

concerto49 said:


> So when someone posts an exploit they get bashed for not keeping quiet and notifying WHMCS instead. Now when someone doesn't post - also get bashed for not telling. Huh?


I asked what had been fixed, that's somewhat different. Why bother saying anything if you're not helping?


Completely different to publishing details and info on how to compromise someone's system.


----------



## jcarney1987 (Oct 19, 2013)

Yea I got a email from them last night and updated my WHMCS to 5.2.9 and it broke my mass mailing features.  I'm not sure if its the patch or not, but I've reupoaded several times and still can't get it fixed.  Anybody have that problem after updated to 5.2.9?


----------



## MartinD (Oct 19, 2013)

Lots of people are reporting that problem - you're not alone.


----------

