Another WHMCS Exploit

clarity

Active Member
Here is the thread on WHT:


www.webhostingtalk.com/showthread.php?t=1314649


If you allow client changes to their information, it appears you are at risk. They can place query strings in the First name field and have the output appear in the last name field.
 

lifetalk

New Member
Verified Provider
I don't know how accurate this claim may be, and whether or not there's any truth to this, but the guys over at serverpolice.org said they've reported to Matt at WHMCS that v5.2.10 is still vulnerable to SQL injections. Modsec rules should help against that but there may be a patch incoming.

Like I said, I'm simply stating what I was told. I do not know how much truth there is to this claim, but at this point in time, I wouldn't doubt it either.
 

remcom

New Member
Verified Provider
I know it can be frustrating to have to update your install but in my eyes finding and patching these exploits is a good thing.  Recently a lot of security professionals and companies have been researching and discovering items in WHMCS and other hosting industry softwares.  The fact WHMCS is acting and releasing these fixes in a timely manor is a good thing.

Obviously we would all hope for flawless products but thats a pipe dream.  Even more when your product has to connect and interact with so many other products.  Do not be shocked if there are not a few other "roll up" updates coming down the road from WHMCS. 
 

SkylarM

Well-Known Member
Verified Provider
I know it can be frustrating to have to update your install but in my eyes finding and patching these exploits is a good thing.  Recently a lot of security professionals and companies have been researching and discovering items in WHMCS and other hosting industry softwares.  The fact WHMCS is acting and releasing these fixes in a timely manor is a good thing.

Obviously we would all hope for flawless products but thats a pipe dream.  Even more when your product has to connect and interact with so many other products.  Do not be shocked if there are not a few other "roll up" updates coming down the road from WHMCS.
Praise isn't warranted when they knew stuff like this existed, but they hid behind the "encoded" veil. These fixes are released multiple HOURS after it is PUBLICLY released on sites such as localhost.
A lot of exploits in the past have been brought to the attention of WHMCS first, they deem "not worth the effort" and then said security individual posts it public, and only THEN do they tend to fix the issues.

They need to stop hiding behind a veil of "we're encoded, totally safe!" when in reality it doesn't work that way.

3 exploits in a month, all SQL injection exploits. Same exact thing, just inserted into different forms. GJ WHMCS, you fixed the one thing made public but pretended all the other areas of exploit for the same damn thing didn't exist. Guess what, people found them!

Especially with cPanel's name on WHMCS, they better get their act together. Being encoded cannot be seen as "secure" coding.
 
Last edited by a moderator:

peterw

New Member
If you allow client changes to their information, it appears you are at risk. They can place query strings in the First name field and have the output appear in the last name field.
WTF! Hopefully they are now checking each form for SQL injections.
 
Top