# Another WHMCS Exploit



## clarity (Oct 20, 2013)

http://blog.whmcs.com/?t=80298


I first saw this on WHT. This is really bad!


----------



## DamienSB (Oct 20, 2013)

This is bullshit.

3rd time this month....


----------



## shovenose (Oct 20, 2013)

ridculous.


----------



## Magiobiwan (Oct 21, 2013)

You gotta be freaking KIDDING ME.


----------



## Wintereise (Oct 21, 2013)

Classic WHMCS, I guess.


----------



## EmziD (Oct 21, 2013)

You really shocked? They are partners with cpanel says it all. Possibly same developer?


----------



## fixidixi (Oct 21, 2013)

ohmy


----------



## clarity (Oct 21, 2013)

Here is the thread on WHT:


www.webhostingtalk.com/showthread.php?t=1314649


If you allow client changes to their information, it appears you are at risk. They can place query strings in the First name field and have the output appear in the last name field.


----------



## lifetalk (Oct 21, 2013)

I don't know how accurate this claim may be, and whether or not there's any truth to this, but the guys over at serverpolice.org said they've reported to Matt at WHMCS that v5.2.10 is still vulnerable to SQL injections. Modsec rules should help against that but there may be a patch incoming.

Like I said, I'm simply stating what I was told. I do not know how much truth there is to this claim, but at this point in time, I wouldn't doubt it either.


----------



## Reece-DM (Oct 21, 2013)

Perfect start to the week!

Can only assume there is more fields that are vulnerable.


----------



## Increhost (Oct 21, 2013)

Any of their devs around? are they gonna hire somebody to audit their software?


----------



## WebSearchingPro (Oct 21, 2013)

Increhost said:


> Any of their devs around? are they gonna hire somebody to audit their software?


I'm sure you can answer that last question yourself


----------



## Increhost (Oct 21, 2013)




----------



## remcom (Oct 21, 2013)

I know it can be frustrating to have to update your install but in my eyes finding and patching these exploits is a good thing.  Recently a lot of security professionals and companies have been researching and discovering items in WHMCS and other hosting industry softwares.  The fact WHMCS is acting and releasing these fixes in a timely manor is a good thing.

Obviously we would all hope for flawless products but thats a pipe dream.  Even more when your product has to connect and interact with so many other products.  Do not be shocked if there are not a few other "roll up" updates coming down the road from WHMCS.


----------



## SkylarM (Oct 21, 2013)

remcom said:


> I know it can be frustrating to have to update your install but in my eyes finding and patching these exploits is a good thing.  Recently a lot of security professionals and companies have been researching and discovering items in WHMCS and other hosting industry softwares.  The fact WHMCS is acting and releasing these fixes in a timely manor is a good thing.
> 
> Obviously we would all hope for flawless products but thats a pipe dream.  Even more when your product has to connect and interact with so many other products.  Do not be shocked if there are not a few other "roll up" updates coming down the road from WHMCS.


Praise isn't warranted when they knew stuff like this existed, but they hid behind the "encoded" veil. These fixes are released multiple HOURS after it is PUBLICLY released on sites such as localhost.
A lot of exploits in the past have been brought to the attention of WHMCS first, they deem "not worth the effort" and then said security individual posts it public, and only THEN do they tend to fix the issues.

They need to stop hiding behind a veil of "we're encoded, totally safe!" when in reality it doesn't work that way.

3 exploits in a month, all SQL injection exploits. Same exact thing, just inserted into different forms. GJ WHMCS, you fixed the one thing made public but pretended all the other areas of exploit for *the same damn thing* didn't exist. Guess what, people found them!

Especially with cPanel's name on WHMCS, they better get their act together. Being encoded cannot be seen as "secure" coding.


----------



## BuyCPanel-Kevin (Oct 21, 2013)

I hear next month WHMCS is going to come with an exploit API


----------



## SkylarM (Oct 21, 2013)

BuyCPanel-Kevin said:


> I hear next month WHMCS is going to come with an exploit API


YAY NEW FEATURES!... wait a sec


----------



## peterw (Oct 22, 2013)

dclardy said:


> If you allow client changes to their information, it appears you are at risk. They can place query strings in the First name field and have the output appear in the last name field.


WTF! Hopefully they are now checking each form for SQL injections.


----------

