# WHMCS Vuln again?



## H_Heisenberg (Jul 11, 2013)

http://zoned.pw/?p=9

http://zoned.pw/?p=27

Truth or fake?


----------



## concerto49 (Jul 11, 2013)

We have been made aware of that website and we are monitoring it for any further postings but at this time, what has been posted is not details of an exploit. The user makes some kind of reference to globals not being necessary which is incorrect, and then goes on to reference one of the functions used in sanitizing user input in WHMCS, but doesn't provide any valid way of using that to exploit a WHMCS installation in the real world. Please rest assured that we always take security seriously, and will continue to monitor and respond as necessary to any new information.

says WHMCS...


----------



## deluxehost (Jul 11, 2013)

Its an old one, but its real..its about a week or so old.


----------



## Epidrive (Jul 11, 2013)

I hope this isnt bad. I hate doing WHMCS upgrades, a lot of codes gets fucked up


----------



## anyNode (Jul 11, 2013)

At least WHMCS has looked at the exploit instead of ignoring it


----------



## D. Strout (Jul 11, 2013)

anyNode said:


> At least WHMCS has looked at the exploit instead of ignoring it


Yeah, but they gave standard big company BS about how it isn't an issue and everything's OK and we're always vigilant. Yeah, right. A developer probably woke up from his before-lunch nap early and gave one file a once-over to make sure there weren't any glaring bugs. Then he went to lunch, then came back for his after-lunch nap.


----------



## MartinD (Jul 11, 2013)

So where is your billing and/or VPS panel, D Strout? All I see if you mouthing off about coders everywhere, be it WHMCS or SolusVM, saying how crap they are and that they do nothing.

"I know most of the major web "languages" out there, with proficiency in HTML, CSS, JavaScript/AJAX and PHP, as well as good familiarity with MySQL."

Does that qualify you as an expert who can do oh-so-much better?


----------



## vld (Jul 11, 2013)

deluxehost said:


> Its an old one, but its real..its about a week or so old.


Please, elaborate.

Anyway, I said this on LET:

So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.


Can he be more lame than this? Seriously, classic script kiddie stuff.


Curtisg, if you do infosec like you claim to, why can't * you* find actual vulnerabilities? Why not write an actual exploit, you know, by hand?


The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful


----------



## D. Strout (Jul 11, 2013)

*@MartinD* I'm not commenting on the code, I'm commenting on big companies who know they have a monopoly in the market. From that position, they just don't give a crap about vulnerabilities. Which is why I strongly suspect there was little concern about the possibility of vulnerabilities based on what was posted in the linked website, just enough to put out an "all clear" to keep the orders flowing in.


----------



## wlanboy (Jul 11, 2013)

Programming looks so easy as long as you don't have a couple of customers 

I don't want to find any excuses for SolusVM or for WHMCS but don't bash employees because of one sales/rep guy doing "first post then think about it" stuff.
You don't know how the companies tick.

All I know is that after some years of coding, after some colleague leave without any handing over, after some "customer want feature even if it breaks the design" and after some "it has to be finished at 11p.m." all code ends in something that you don't want to work with.


----------



## Francisco (Jul 11, 2013)

vld said:


> Please, elaborate.
> 
> Anyway, I said this on LET:
> 
> ...


"The skid finds the exit; statement at the top of the udp.pl"

Anyways, what ever happened to his VPS panel that he was 90% done? If it was truly 90% done then he's a coding machine since he did so much in a matter of *days*. I know he came knocking on my door asking for Stallion 1's code to see if we were "both on the same page" on how to integrate parts.

I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.

Francisco


----------



## Mun (Jul 11, 2013)

Francisco said:


> "The skid finds the exit; statement at the top of the udp.pl"
> 
> 
> Anyways, what ever happened to his VPS panel that he was 90% done? If it was truly 90% done then he's a coding machine since he did so much in a matter of *days*. I know he came knocking on my door asking for Stallion 1's code to see if we were "both on the same page" on how to integrate parts.
> ...



Can I look at the code, please Francisco, [email protected]@@@@555555553333333!!!!!!!!!!!!!


----------



## Francisco (Jul 11, 2013)

Mun said:


> Can I look at the code, please Francisco, [email protected]@@@@555555553333333!!!!!!!!!!!!!


Sure let me just zi- heeeeeyyyy waiiittttt a minute


----------



## D. Strout (Jul 11, 2013)

> I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.


Oh boy, I better let him get a hold of that code right away, I'm going to be in pretty dire straits if I lose this one client.


----------



## wlanboy (Jul 11, 2013)

Francisco said:


> I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.


I would have answered: "Thank you for your offer!"


----------



## Aldryic C'boas (Jul 12, 2013)

> I would have answered: "Thank you for your offer!"


I tend to reply to these with expediting their cancellations for them. Forcibly.


----------



## WelltodoInformalCattle (Jul 12, 2013)

Francisco said:


> I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.


 

Surely you can't be serious. Oh lawd, I needed a good laugh.


----------



## jarland (Jul 12, 2013)

vld said:


> Please, elaborate.
> 
> Anyway, I said this on LET:
> 
> ...


Someone needs to teach this kid what it's like to get punched in the face, that's all I'm saying. I'm not being unfair, I needed a good punch in the face at one point in my life. I got it too. Anyone in Canada? Obviously I'm joking, except about his need for a cold introduction to reality. If his desire was security it'd be one thing, but those of us who have been following his actions for some time will not question his motive: to cause chaos in an industry that "rejected" him (because he repeatedly scammed people) by any means necessary. When he uses up this method, he'll move on to a new one. The ability to hide behind other people's bad code and mask it as something "good" for the "community" is just an unintended side effect of his current methods.


----------



## H_Heisenberg (Jul 14, 2013)

So it's nothing serious and already known to the WHCMS team?

If it's the point then the site is probably fake and WHCMS is going to fix everything or has already fixed everything.


----------



## perennate (Jul 14, 2013)

H_Heisenberg said:


> So it's nothing serious and already known to the WHCMS team?


Just read his posts, half of the vulnerabilities he found involve non-public-facing PHP files; how does that make any sense? The original XSS one was closest to an exploit, but it's ridiculous since single quotes are never used for attributes anywhere in WHMCS source code (and to work the exploit would need a user-supplied variable to be displayed within a singly-quoted HTML attribute).


----------



## Francisco (Jul 14, 2013)

Voss said:


> Surely you can't be serious. Oh lawd, I needed a good laugh.


The guy was sitting in channel criticizing how I was laying out things in code igniter. He felt me using actual PHP in the views was against the idea of how views work...???

Anyway, he then continued to bug me asking me simple PHP questions. He needed help with a basic switch statement, etc.

I don't know if it was Curtis but the guy made me laugh my ass off.

Francisco


----------



## mpkossen (Jul 16, 2013)

lol, I just saw the last post on there. He found out the OS  and the web server they're using :-O

Guess the owner of zoned.pw needs to update the software of his server. Still runs PHP 5.3.25 while we're at 5.3.27!


----------



## jarland (Jul 16, 2013)

I saw their site go down, I guess that guy followed through with his DDOS threat. Their host doesn't seem to mind hosting their content even with such incoming attacks, as they are still hosted at 37.221.160.39 / ixam-hosting.com. Interesting that a host using WHMCS would be so willing to host people who are actively trying to destroy their wellbeing for nothing more than their own entertainment. Perhaps there's a relationship there.

He'll grow up eventually. He will just be replaced by more children though. If I thought for a single moment this was about security, I'd be cheering him on.


----------



## Wintereise (Jul 17, 2013)

Francisco said:


> The guy was sitting in channel criticizing how I was laying out things in code igniter. He felt me using actual PHP in the views was against the idea of how views work...???
> 
> 
> Anyway, he then continued to bug me asking me simple PHP questions. He needed help with a basic switch statement, etc.
> ...


Post logs, we need more lulz in our boring lives.


----------



## MannDude (Jul 17, 2013)

Francisco said:


> The guy was sitting in channel criticizing how I was laying out things in code igniter. He felt me using actual PHP in the views was against the idea of how views work...???
> 
> 
> Anyway, he then continued to bug me asking me simple PHP questions. He needed help with a basic switch statement, etc.
> ...


For the record, my name is 'Curtis' as well. So _please_ specify which Curtis you are referring to when using first names 

Just don't want a mix up.

Plus, if you know me, I'm PHP-retarded. Sajan P will tell you that, I sent him my 'CMS script' I wrote, haha.


----------



## Coastercraze (Jul 17, 2013)

MannDude said:


> For the record, my name is 'Curtis' as well. So _please_ specify which Curtis you are referring to when using first names
> 
> Just don't want a mix up.
> 
> Plus, if you know me, I'm PHP-retarded. Sajan P will tell you that, I sent him my 'CMS script' I wrote, haha.


It's ok, PHP always has questions anyways.


----------

