# WHMCS - Horrific Cleaning of variables leaves multiple zero-day possibilities



## lulzsecurity (Jun 23, 2013)

Before you ask, I've alerted Matt from WHMCS today, I won't post exactly, but the cleaning is horrific. To give you a few sense about this,

Attacker A -> register, orders vps, due to improper cleaning on  whmcs part, we can abuse this.

Attacker A then gets full access to the machine using zero-day.

Improper cleaning of "$whmcs->sanitize_input_vars()". If legit admin user a for example does this:

Register, order vps but has special chars that were not filtered by cleaning, we can then break the cmd and exec()ute more commands.

Now I must get mad at their bad coding..

function {snipped}($arr) {

   global $whmcs;

 {snipped}

}

$whmcs = new WHMCS_Init();

$whmcs = $whmcs->init();

 

All of that is in the same file, no need to global it, as its already created the instance. I wonder where they learned how to program, -,-.

 

Multiple issues with poor coding, however a vulnerability if not patched could lead to multiple zero-days on anything/everything that uses cleaning and relies on it.

 

I will disclose exactly how to do this IF they do not fix it.


----------



## thisisnotnetomx (Jun 23, 2013)

:c


----------



## D. Strout (Jun 23, 2013)

Whoever does work like that should not be allowed to program. There will be another explosion soon, or I'm an idiot. (Probably true anyway, but still...)


----------



## lulzsecurity (Jun 23, 2013)

I will release the vulnerabilities and how to do it if they don't patch it.


----------



## jarland (Jun 23, 2013)

Curtis, just leave.


----------



## lulzsecurity (Jun 23, 2013)

But lets prove everything is vulnerable...

from init class which is called for everything...

$_GET = $this->sanitize_input_vars( $_GET );

$_POST = $this->sanitize_input_vars( $_POST );

$_REQUEST = $this->sanitize_input_vars( $_REQUEST );

$_SERVER = $this->sanitize_input_vars( $_SERVER );

$_COOKIE = $this->sanitize_input_vars( $_COOKIE );


----------



## drmike (Jun 23, 2013)

I'd love to see a proof of concept


----------



## lulzsecurity (Jun 23, 2013)

buffalooed said:


> I'd love to see a proof of concept


Did you miss the part I won't release how to do it (which requires you need to know the code to trigger it) unless they patch it...?


----------



## Nick_A (Jun 23, 2013)

I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?


----------



## lulzsecurity (Jun 23, 2013)

Nick_A said:


> I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?


I'm not threatening, I alerted Matt from WHMCS(feel free to confirm) of these issues. 

Have they personally wronged me? No, not really.

Like seeing things burn? No


----------



## Nick_A (Jun 23, 2013)

lulzsecurity said:


> I'm not threatening, I alerted Matt from WHMCS(feel free to confirm) of these issues.
> 
> Have they personally wronged me? No, not really.
> 
> Like seeing things burn? No


Then explain the point. All ears.


----------



## XFS_Duke (Jun 23, 2013)

How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...


----------



## lulzsecurity (Jun 23, 2013)

The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.


----------



## lulzsecurity (Jun 23, 2013)

The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.


----------



## jarland (Jun 23, 2013)

XFS_Duke said:


> How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...


Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.


----------



## lulzsecurity (Jun 23, 2013)

jarland said:


> Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.


Feel free to open ticket and ask, or:


----------



## XFS_Duke (Jun 23, 2013)

well jarland, I know for a FACT he spoke to Matt, wanna know how? Well it's simple. I put him in touch with Matt myself and I've spoken to Matt about this... So... Thanks but try again....


----------



## drmike (Jun 23, 2013)

lulzsecurity said:


> Did you miss the part I won't release how to do it (which requires you need to know the code to trigger it) unless they patch it...?


 

No, I didn't miss that   I am not interested in a DIY recipe or howto, but for the doubters sake and your own, nothing wrong with finding a willing host and displaying the compromise effects (non maliciously of course).  

I am a skeptic, but open minded.


----------



## jarland (Jun 23, 2013)

XFS_Duke said:


> well jarland, I know for a FACT he spoke to Matt, wanna know how? Well it's simple. I put him in touch with Matt myself and I've spoken to Matt about this... So... Thanks but try again....


You're playing with fire.


----------



## lulzsecurity (Jun 23, 2013)

I won't share unless they patch.


----------



## XFS_Duke (Jun 23, 2013)

jarland said:


> You're playing with fire.


Why you say that? Because I'm not just gonna let this slide? Because I am trying to help the community and not just myself? Listen, the SolusVM thing could of been prevented... I know that SolusVM can patch their issues but I'm more worried now about credit card and other info that may be stored in some of the bigger companies databases... Image the possibilities for anyone who gets this exploit... Wouldn't you rather work on getting it fixed rather than bashing the person who figured it out?

But, feel free to send me a PM as to why you think I'm playing with fire...

Thanks.


----------



## lulzsecurity (Jun 23, 2013)

Jarland, how is he playing with fire? I'm interested to see your reply.

From my point of view, I just intended to release it without contacting WHMCS honestly, but after talking to XFS_Duke I agreed to notify them at-least before.


----------



## Nick_A (Jun 23, 2013)

XFS_Duke said:


> How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...


Perfectly willing to listen and help, but someone here needs to acknowledge that this could take a large chunk out of a host's revenue if people are going around posting exploits publicly. I'm not sure how caring about my revenue makes me an asshole. Personally, I prefer exploits to be handled discretely. He acts like he has a personal vendetta against WHMCS, and I'd really like to know why. Does it really hurt him if WHMCS doesn't fix a mistake? Maybe he has some good justification for what's doing, but I haven't seen anything but attention whoring. This thread has only been up for 1.5 hours and he's already said 3 times he is going to post some vulnerability publicly. Sounds like he'd prefer it if WHMCS does nothing.


----------



## jarland (Jun 23, 2013)

XFS_Duke said:


> Why you say that? Because I'm not just gonna let this slide? Because I am trying to help the community and not just myself? Listen, the SolusVM thing could of been prevented... I know that SolusVM can patch their issues but I'm more worried now about credit card and other info that may be stored in some of the bigger companies databases... Image the possibilities for anyone who gets this exploit... Wouldn't you rather work on getting it fixed rather than bashing the person who figured it out?
> 
> But, feel free to send me a PM as to why you think I'm playing with fire...
> 
> Thanks.


Because you're working with Curtis Gervais who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.


----------



## lulzsecurity (Jun 23, 2013)

jarland, I don't see any proof to backup your statement on my real identity. All I see right now is someone jumping to conclusions.


----------



## XFS_Duke (Jun 23, 2013)

jarland said:


> Because you're working with ****** who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.


Not working with him... Trying to make sure everything gets resolved without anymore websites getting attacked... Simple as that... But by all means... If he releases it, and your site gets hacked... Don't blame me... I've done everything I could... From contacting WHMCS, Hostbill and SolusVM...


----------



## jarland (Jun 23, 2013)

lulzsecurity said:


> jarland, I don't see any proof to backup your statement on my real identity. All I see right now is someone jumping to conclusions.


You are Curtis Gervais. I don't need proof. Prove to me that you're not.


----------



## lulzsecurity (Jun 23, 2013)

@jarland I still see no proof to backup that statement.


----------



## D. Strout (Jun 23, 2013)

For goodness sakes... MannDude or mods, check the IPs of this exploit-threatening clown and see if they match up with netnub.

Even if you're not Curtis G, you really shouldn't just go throwing 0-days around. It shouldn't take the mind of a rocket scientist to see how that's a bad idea.


----------



## lulzsecurity (Jun 23, 2013)

I'm pretty sure newbie programs could do better then WHMCS right now....

global $CONFIG;

global $PHP_SELF;

global $remote_ip;

 

 

$PHP_SELF = $_SERVER['PHP_SELF'];

$this->remote_ip = $this->get_user_ip(  );

$remote_ip = $this->load_config_vars(  );

$CONFIG = $this->load_input(  );


----------



## KuJoe (Jun 23, 2013)

lulzsecurity said:


> @jarland I still see no proof to backup that statement.


XFS_Duke confirmed it in one of his posts. Just pointing that out so we can get back on target because who you are doesn't matter IMO.


----------



## lulzsecurity (Jun 23, 2013)

KuJoe said:


> Actually XFS_Duke confirmed it in one of his posts.


Where do you see that?


----------



## KuJoe (Jun 23, 2013)

jarland said:


> Because you're working with Curtis Gervais who is butt hurt over his own bad deeds in the industry and desires nothing more than to cause chaos.





XFS_Duke said:


> Not working with him... Trying to make sure everything gets resolved without anymore websites getting attacked... Simple as that... But by all means... If he releases it, and your site gets hacked... Don't blame me... I've done everything I could... From contacting WHMCS, Hostbill and SolusVM...


He is implying that he is not working with you but trying to prevent you from releasing more exploits publicly. The pronoun "him" in "Not working with him..." and "he" in "if he releases it" is used in place of the noun that jarland provided "Curtis Gervais".


----------



## lulzsecurity (Jun 23, 2013)

There is nothing implyed there. From what I see there is he states he is not affiliated with the person in any way/shape/form and doesn't confirm or deny the identity of this set person. As XFS-Duke confirms is that is a Male by using "he".


----------



## jarland (Jun 23, 2013)

KuJoe said:


> He is implying that he is not working with you but trying to prevent you from releasing more exploits publicly. The pronoun "him" in "Not working with him..." and "he" in "if he releases it" is used in place of the noun that jarland provided "Curtis Gervais".


I'm just tired of it. We all know it's a good thing that people be held accountable for their code, but in the meantime some of us would just like a little rest instead of this constant knight in shining armor routine.


----------



## MCH-Phil (Jun 23, 2013)

It's all about attention, otherwise he or she would have just contacted the developer and quietly let them fix it.  

Let's break this down and be honest here.  You have provided no way to fix the issue.  Nor even a way to mitigate the issue until WHMCS can fix their screw up.  You really haven't provided even enough information for seasoned people to resolve it on their own in a timely fashion.  

It's all I know something, is broke, and you don't.  I contacted the developer and if they don't fix it, I'll make sure it can be used against you.

So what was the point of this?  Attention.  Plain and simple.

Go outside and play while you still can.  One of the people you piss off one day will surely make sure you don't see the light of day for a while.


----------



## lulzsecurity (Jun 23, 2013)

MCH-Phil said:


> It's all about attention, otherwise he or she would have just contacted the developer and quietly let them fix it.
> 
> Let's break this down and be honest here.  You have provided no way to fix the issue.  Nor even a way to mitigate the issue until WHMCS can fix their screw up.  You really haven't provided even enough information for seasoned people to resolve it on their own in a timely fashion.
> 
> ...


Not about attention, just warning. If they don't fix it, then you can't say no one warned you about the vulnerabilities...

A patch to fix this will be given to verified providers via private message on request along with all changes made to file documented.


----------



## MannDude (Jun 23, 2013)

D. Strout said:


> For goodness sakes... MannDude or mods, check the IPs of this exploit-threatening clown and see if they match up with netnub.
> 
> Even if you're not Curtis G, you really shouldn't just go throwing 0-days around. It shouldn't take the mind of a rocket scientist to see how that's a bad idea.


Sorry, was making food and then eating it. Checkign it all out now.

EDIT: A quick look at the IP log, 'lulzsecurity' and 'netnub' don't share any IP addresses. Then again, most of us here probably have a VPN or (multiple) and know what Tor is and how to use it. It's not entirely helpful banning by IP.


----------



## D. Strout (Jun 23, 2013)

MannDude said:


> Sorry, was making food and then eating it. Checkign it all out now.


There's a coincidence, I did that too earlier. Thanks for checking this.


----------



## upsetcvps (Jun 23, 2013)

lulz is doing nothing wrong here.  Would you rather he say nothing and others exploit?  He's forcing wmhcs' hand to pay attention and patch.  The ball is in their court.


----------



## D. Strout (Jun 23, 2013)

upsetcvps said:


> He's forcing wmhcs' hand to pay attention and patch.


If that were what he were really doing we wouldn't mind, but what he's really doing is saying "na na na na poo poo, I've got an exploit". Holding it over our heads, trying to get everyone's attention with how smart he is. Otherwise he'd communicate _privately_ with WHMCS.


----------



## jarland (Jun 23, 2013)

&nbsp;



upsetcvps said:


> lulz is doing nothing wrong here. &nbsp;Would you rather he say nothing and others exploit? &nbsp;He's forcing wmhcs' hand to pay attention and patch. &nbsp;The ball is in their court.


&nbsp;

Yes, I'd rather him not slowly release new exploits over a long period of time to intentionally cause chaos in the market. You say he's not doing anything wrong because you are misunderstanding his intentions. He is threatening and attempting to scare providers because he is still bitter of the fact that he opened two "companies" in which he took people's money and delivered no product and still had the nerve to be angry at people for giving him a bad reputation about it.


Anyone who applies a "patch" to their WHMCS that he provides deserves what they get in return for it.


----------



## XFS_Duke (Jun 23, 2013)

jarland said:


> &nbsp; &nbsp;
> 
> 
> Yes, I'd rather him not slowly release new exploits over a long period of time to intentionally cause chaos in the market. You say he's not doing anything wrong because you are misunderstanding his intentions. He is threatening and attempting to scare providers because he is still bitter of the fact that he opened two "companies" in which he took people's money and delivered no product and still had the nerve to be angry at people for giving him a bad reputation about it.
> ...


I'm almost positive the patch will be unencrypted... Don't have confirmation on that as of yet though... Just take a chill pill and let the work be done...

He did notify WHMCS... They know about it now... Let's give them time to fix it...


----------



## MCH-Phil (Jun 23, 2013)

lulzsecurity said:


> Not about attention, just warning. If they don't fix it, then you can't say no one warned you about the vulnerabilities...
> 
> A patch to fix this will be given to verified providers via private message on request along with all changes made to file documented.


If this were true your original post would say this.  Not 2-3 pages into the topic of you laughing with a big .|.. to everyone here.  If you have a fix post it.


----------



## vanarp (Jun 23, 2013)

People say _he_ is looking for attention. Again the same people comment more and help the thread to stay on the front page. What better punishment can be given than to simply ignore _his _posts? Of course you can read and follow _his _actions quietly to ensure your business doesn't get affected.


----------



## D. Strout (Jun 23, 2013)

People looking for attention always get it, in some way, shape, or form. It might be in the form of "we all hate you", so if this guy is fine with that then yes, he has accomplished his objective. Who cares, though?


----------



## mikho (Jun 23, 2013)

jarland said:


> Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.


He is trying to do a zamfoo move and look like he is a big player.


There is no reason to discuss it in public within minutes/hours after submitting it to the developer.


----------



## SeriesN (Jun 23, 2013)

Keep on bumping so that this thread can be on top and more skid will feel welcome.


----------



## kaniini (Jun 24, 2013)

Observation: all the people complaining run WHMCS, as far as I can tell.

Resulting question: why not work on improving your security instead of all of this drama stuff?  If you can't take the heat, get out of the industry before you screw your customers.


----------



## mr.tuppington (Jun 24, 2013)

lulzsecurity said:


> Now I must get mad at their bad coding..
> 
> function {snipped}($arr) {
> 
> ...


I fail to see why you're so mad about that snip of code...that's exactly how global scope variables are referenced.  PHP relies on many globally _scoped_ variables.  Ones like these are just defined in userland, as opposed to super globals, which, are baked in.

http://php.net/manual/en/language.variables.scope.php

as its already created the instance

both an lvalue assignment ($whmcs = whatever) and the use of the keyword global (global $whmcs) are not compile time actions.  The are defined/exercised during runtime, and therefore whichever one is encounter FIRST during execution will determine the fate of the other.  So, only in the event that the function (function{snip}) is executed before the lvalue ($whmcs = whatever) might there be an issue.  it's no different than if you where to $GLOBALS['whmcs']...if you were to remove the keyword global, then substitute $whmcs with $GLOBALS['whmcs'] you'd get identical logic behavior (likely with some warnings about non-existent key 'whmcs', but still the same behavior if warnings are suppressed).  $GLOBALS is an empty super global array and is not populated unless register globals is enabled.

Even if the function were called first, the function's use of the global scope of $whmcs does not mean arbitrary user input can be injected:  the use of a variable in global scope is not the same as register_globals:

http://php.net/manual/en/security.globals.php

Curious, what does the forums PHP aficionados think?


----------



## GIANT_CRAB (Jun 24, 2013)

lulzsecurity said:


> Now I must get mad at their bad coding..
> 
> function {snipped}($arr) {
> 
> ...


My 2 cents here

Honestly speaking, there's no security issues with that usage but however, I must agree that there's no need to global it if $whmcs = new WHMCS_Init(); is in the same file of function {snipped}($arr) {global $whmcs;} and that the function is a public function.

Also, why would an experienced script kiddie/coder/programmer be mad about how terrible other people's code are?

I'm not even mad but from the way you type, you're extremely butthurt.

WHMCS (almost) always had security issues and shitty updates that are broken, so even if there are zero day exploits, its not a big surprise.

Hostbill isn't any better, ClientExec isn't any safer either.

From the way you speak, you (and WHMCS/HostBill/ClientExec) obviously need some PHP OOP lessons.

EDIT: See the post above me for TLR; edition


----------



## RiotSecurity (Jun 24, 2013)

Eu simt că el are dreptate cu asta. I interzicerea pur și simplu pentru tine notificare? Cred că este adevărat, unii oameni sunt idioti adevărat.


----------



## peterw (Jun 24, 2013)

RiotSecurity said:


> Eu simt că el are dreptate cu asta. I interzicerea pur și simplu pentru tine notificare? Cred că este adevărat, unii oameni sunt idioti adevărat.


Google translate:



> I feel he's right about that. I simply ban your notice? I think it is true, some people are truly idiots.


----------



## RiotSecurity (Jun 24, 2013)

Da, ideea de prost de a interzice unei persoane care a fost tine și de pre-avertizare ajută ...

Google Translate:

Yeah, bad idea to prohibit a person who has been pre-warning you and help ...


----------



## MartinD (Jun 24, 2013)

And who, pray tell, has been pre-warning anyone and helping anyone?


----------



## peterw (Jun 24, 2013)

MartinD said:


> And who, pray tell, has been pre-warning anyone and helping anyone?


Noone. Their goal was to do as much damage as possible. Selfish egomanics.


----------



## RiotSecurity (Jun 24, 2013)

Cred că toți trebuie să se calmeze și să le mulțumesc "lulzsecurity" pentru a ți-o dă la-cel puțin o șansă reală de a vă proteja dacă se întâmplă ceva.


----------



## MartinD (Jun 24, 2013)

Well, I think you should re-read what's been going on here recently and then jump down from that 50ft horse you've saddled.


----------



## vld (Jun 24, 2013)

RiotSecurity said:


> Cred că toți trebuie să se calmeze și să le mulțumesc "lulzsecurity" pentru a ți-o dă la-cel puțin o șansă reală de a vă proteja dacă se întâmplă ceva.


Can you stop using google translate <whatever> > romanian? Not sure what you're trying to achieve.


----------



## D. Strout (Jun 24, 2013)

mr.tuppington said:


> I fail to see why you're so mad about that snip of code...that's exactly how global scope variables are referenced.  PHP relies on many globally scoped variables.  Ones like these are just defined in userland, as opposed to super globals, which, are baked in.


All true. But the bigger issue is: the original post was about bad input sanitization. This is not that. Come on *@**lulzsecurity*, figure out what you're mad about. Or better yet, do something about it.


----------



## RiotSecurity (Jun 24, 2013)

MartinD said:


> Well, I think you should re-read what's been going on here recently and then jump down from that 50ft horse you've saddled.


@MartinD

Am citit-o. Sunt de acord cu "lulzsecurity" și "xfs Duce", pentru că, deși ele fac un punct. Vă sunt obtinerea supărat pe ei, atunci când ar trebui să fie supărat la compania de software pentru plecarea aceste exploateaza aici și nu împingând un remediu pentru ei.

@vld Eu nu sunt folosind Google Translate. Eu sunt român.


----------



## vld (Jun 24, 2013)

RiotSecurity said:


> @vld Eu nu sunt folosind Google Translate. Eu sunt român.


No. I'm romanian, hence I know how proper romanian looks like.  Again, what are you trying to achieve?


----------



## XFS_Duke (Jun 24, 2013)

Just want to let yall know... SolusVM found issues with their WHMCS module... They said they fixed it... Go update if you haven't already... We should know something soon regarding if they didn't fix it completely or not.


----------



## MartinD (Jun 24, 2013)

'We' should know something soon.

Who is 'we'?


----------



## XFS_Duke (Jun 24, 2013)

MartinD said:


> 'We' should know something soon.
> 
> Who is 'we'?


Really? How hard is it to figure out? I'm a provider just like others here. I use WHMCS and SolusVM... So, 'we' refers to all providers. Don't start acting like I'm a bad guy because I tried to help... I could of easily just covered my own ass and let everything happen... But I didn't... I didn't want the ChicagoVPS thing to happen to anyone else...

That shit pisses me off... When someone tries to help you sit there and think they're a bad guy because they didn't just sit back and talk shit to the person putting the issues out there... Confirm with MannDude if I didn't talk to him about it, confirm with WHMCS Matt and Phill... Don't speculate that i've had anything to do with this crap, I was trying to fix it.


----------



## BK_ (Jun 24, 2013)

'MartinD said:


> We




I read it as "we" = "the members of this forum".


----------



## XFS_Duke (Jun 24, 2013)

BK_ said:


> I read it as "we" = "the members of this forum".


Thanks, that is what I meant by it...


----------

