# More awful WHMCS coding



## yolo (Oct 15, 2013)

I was looking at the view source feature in chrome in the WHMCS mass mail tool. I found this:



<input type="hidden" name="massmailquery" value="SELECT id,id AS userid,tblclients.firstname,tblclients.lastname,tblclients.email FROM tblclients WHERE id!='' AND tblclients.status IN ('Active','Inactive','Closed') AND tblclients.language IN ('')">

This is in the admin area so it isn't that bad of a security risk, but the stupidity behind this is what dumbfounds me. If they are this dumb here, where else do they do dumb stuff at.

You can see for yourself, In the mass mail tool where you compose the e-mail look in there, and you will see the query of the previously selected options.

Keep up the great work WHMCS!


----------



## GIANT_CRAB (Oct 15, 2013)

They don't even have measures to prevent XSS and CSRF (just look at user or admin login), this isn't any surprise at all.


----------



## wlanboy (Oct 16, 2013)

Just ... ahm ... can't believe your finding.


----------



## trewq (Oct 16, 2013)

Spencer said:


> I was looking at the view source feature in chrome in the WHMCS mass mail tool. I found this:
> 
> 
> 
> ...


Did you report this to WHMCS?


----------



## concerto49 (Oct 16, 2013)

trewq said:


> Did you report this to WHMCS?


That's like reporting whmcs to whmcs lol.


----------



## Raymii (Oct 16, 2013)

One more reason to put WHMCS behind a WAF like ModSecurity. I'm not even suprised anymore...


----------



## vld (Oct 16, 2013)

trewq said:


> Did you report this to WHMCS?


What's the point? This is clearly by design.


----------



## trewq (Oct 16, 2013)

vld said:


> What's the point? This is clearly by design.


It shouldn't be though and it could be something they had in there from the start and has been overlooked.


----------



## dnom (Oct 16, 2013)

Raymii said:


> One more reason to put WHMCS behind a WAF like ModSecurity. I'm not even suprised anymore...


I'm not very familliar with ModSecurity.But won't this block the mas mail tool too? It's taking SQL statements as valid field values after all.


----------



## zim (Oct 16, 2013)

None of this is surprising to me. Its crazy how careless some industry programmers can be.


----------



## Increhost (Oct 16, 2013)

It's almost incredible indeed.


----------



## RiotSecurity (Oct 16, 2013)

GIANT_CRAB said:


> They don't even have measures to prevent XSS and CSRF (just look at user or admin login), this isn't any surprise at all.


You're forgetting the CSRF on domain checker.


----------



## concerto49 (Oct 16, 2013)

trewq said:


> It shouldn't be though and it could be something they had in there from the start and has been overlooked.


Thought you've been around long enough. It's whmcs we're talking about.


----------



## trewq (Oct 16, 2013)

concerto49 said:


> Thought you've been around long enough. It's whmcs we're talking about.


Haha you can always hope though.


----------



## Raymii (Oct 17, 2013)

dnom said:


> I'm not very familliar with ModSecurity.But won't this block the mas mail tool too? It's taking SQL statements as valid field values after all.


Yep it will block that then. That means WHMCS has to fix their crap..


----------



## Enterprisevpssolutions (Oct 18, 2013)

LOL Always use suphp with modsec to help with the bad programming.


----------



## DamienSB (Oct 18, 2013)

Enterprisevpssolutions said:


> LOL Always use suphp with modsec to help with the bad programming.


http://www.webhostingtalk.com/showpost.php?p=7253146&postcount=9

suphp isnt always the better choice for security.


----------



## Enterprisevpssolutions (Oct 18, 2013)

DamienSB said:


> http://www.webhostingtalk.com/showpost.php?p=7253146&postcount=9
> 
> suphp isnt always the better choice for security.


suPHP runs PHP outside of the Apache script as CGI. Unlike CGI however it will run the scripts as a user other than the Apache user (presumably the user that owns the files). In addition, because your PHP is being run as a different user any vulnerability in your site can be restricted to only the files of your website thereby providing substantial security benefits particularly on servers that run multiple websites.


----------



## DamienSB (Oct 18, 2013)

Enterprisevpssolutions said:


> suPHP runs PHP outside of the Apache script as CGI. Unlike CGI however it will run the scripts as a user other than the Apache user (presumably the user that owns the files). In addition, because your PHP is being run as a different user any vulnerability in your site can be restricted to only the files of your website thereby providing substantial security benefits particularly on servers that run multiple websites.


That assumes you're on a shared hosting environment. If you’re following best practice you should never run any kind of billing platform on a shared hosting server.


----------



## Enterprisevpssolutions (Oct 18, 2013)

DamienSB said:


> That assumes you're on a shared hosting environment. If you’re following best practice you should never run any kind of billing platform on a shared hosting server.


Not just for shared hosting  B) also used for forums/posts security and more. You can never have enough security I can say the same for people that never update the os and other parts of the system just because they don't want to convert or update their coding for the latest updates to work.


----------



## kunnu (Oct 19, 2013)

Don't troll at whmcs otherwise your owned license will be cancelled by whmcs owner(maybe, read tos.)


----------

