amuck-landowner

Another day, another WHMCS exploit.

Coastercraze

Top Thrill
Verified Provider
Don't make people you don't trust admins and pretty sure you'll be safe from this one?
Perhaps and watch your admin users just in case someone manages to uncover escalating themselves to admin. (unlikely, but you never know).
 

drmike

100% Tier-1 Gogent
This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.
 

scv

Massive Nerd
Verified Provider
Anybody running WHMCS should deploy a WAF in front. Only 'sane' way of going about it.
 

Raymii

New Member
This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.
Well, at least nobody can say this is an unresponsible disclosure which helps all the scriptkiddies.
 

tchen

New Member
This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.
It's pretty well defined.  But, it's only currently an issue if you give admin access and have third-party modules installed that are vulnerable to object injection.  The base install doesn't have the 'hook' to do much other than some internal bit twiddling in php :)  The immediate risk is low, but it's still something they should patch. 

More worrisome is that they have the same type of vulnerability in their generic cookie class - circa 5.2.7.  So far, that too is only being used in the admin pages.  Can't say anything about third-party modules though - as any of them could include it in client-facing pages.
 
Last edited by a moderator:

perennate

New Member
Verified Provider
This exploit isn't well defined... Conceptually there... Where's my proof of concept?

WHMCS needs a radical overhaul already.
How can you get more well defined? It includes the specific line numbers that relate to the vulnerability, and a list of files that use the exploitable function. A proof of concept wouldn't help define it better, just show one way to exploit it.

serialize/unserialize shouldn't be used for arrays; there's json_encode/json_decode for example.
 
Top
amuck-landowner