More awful WHMCS coding

[yolo]

I was looking at the view source feature in chrome in the WHMCS mass mail tool. I found this:



<input type="hidden" name="massmailquery" value="SELECT id,id AS userid,tblclients.firstname,tblclients.lastname,tblclients.email FROM tblclients WHERE id!='' AND tblclients.status IN ('Active','Inactive','Closed') AND tblclients.language IN ('')">

This is in the admin area so it isn't that bad of a security risk, but the stupidity behind this is what dumbfounds me. If they are this dumb here, where else do they do dumb stuff at.

You can see for yourself, In the mass mail tool where you compose the e-mail look in there, and you will see the query of the previously selected options.

Keep up the great work WHMCS!

 

[GIANT_CRAB]

They don't even have measures to prevent XSS and CSRF (just look at user or admin login), this isn't any surprise at all.

 

[wlanboy]

Just ... ahm ... can't believe your finding.

 

[trewq]

I was looking at the view source feature in chrome in the WHMCS mass mail tool. I found this:



<input type="hidden" name="massmailquery" value="SELECT id,id AS userid,tblclients.firstname,tblclients.lastname,tblclients.email FROM tblclients WHERE id!='' AND tblclients.status IN ('Active','Inactive','Closed') AND tblclients.language IN ('')">

This is in the admin area so it isn't that bad of a security risk, but the stupidity behind this is what dumbfounds me. If they are this dumb here, where else do they do dumb stuff at.

You can see for yourself, In the mass mail tool where you compose the e-mail look in there, and you will see the query of the previously selected options.

Keep up the great work WHMCS!

Did you report this to WHMCS?

 

[concerto49]

Did you report this to WHMCS?

That's like reporting whmcs to whmcs lol.

 

[Raymii]

One more reason to put WHMCS behind a WAF like ModSecurity. I'm not even suprised anymore...

 

[vld]

Did you report this to WHMCS?

What's the point? This is clearly by design.

 

[trewq]

What's the point? This is clearly by design.

It shouldn't be though and it could be something they had in there from the start and has been overlooked.

 

[dnom]

One more reason to put WHMCS behind a WAF like ModSecurity. I'm not even suprised anymore...

I'm not very familliar with ModSecurity.But won't this block the mas mail tool too? It's taking SQL statements as valid field values after all.

 

[zim]

None of this is surprising to me. Its crazy how careless some industry programmers can be.

 

[Increhost]

It's almost incredible indeed.

 

[RiotSecurity]

They don't even have measures to prevent XSS and CSRF (just look at user or admin login), this isn't any surprise at all.

You're forgetting the CSRF on domain checker.

 

[concerto49]

It shouldn't be though and it could be something they had in there from the start and has been overlooked.

Thought you've been around long enough. It's whmcs we're talking about.

 

[trewq]

Thought you've been around long enough. It's whmcs we're talking about.

Haha you can always hope though.

 

[Raymii]

I'm not very familliar with ModSecurity.But won't this block the mas mail tool too? It's taking SQL statements as valid field values after all.

Yep it will block that then. That means WHMCS has to fix their crap..

 

[Enterprisevpssolutions]

LOL Always use suphp with modsec to help with the bad programming.

 

[DamienSB]

LOL Always use suphp with modsec to help with the bad programming.

http://www.webhostingtalk.com/showpost.php?p=7253146&postcount=9

suphp isnt always the better choice for security.

 

[Enterprisevpssolutions]

http://www.webhostingtalk.com/showpost.php?p=7253146&postcount=9

suphp isnt always the better choice for security.

suPHP runs PHP outside of the Apache script as CGI. Unlike CGI however it will run the scripts as a user other than the Apache user (presumably the user that owns the files). In addition, because your PHP is being run as a different user any vulnerability in your site can be restricted to only the files of your website thereby providing substantial security benefits particularly on servers that run multiple websites. 

 

[DamienSB]

suPHP runs PHP outside of the Apache script as CGI. Unlike CGI however it will run the scripts as a user other than the Apache user (presumably the user that owns the files). In addition, because your PHP is being run as a different user any vulnerability in your site can be restricted to only the files of your website thereby providing substantial security benefits particularly on servers that run multiple websites. 

That assumes you're on a shared hosting environment. If you’re following best practice you should never run any kind of billing platform on a shared hosting server.

 

[Enterprisevpssolutions]

That assumes you're on a shared hosting environment. If you’re following best practice you should never run any kind of billing platform on a shared hosting server.

Not just for shared hosting  B) also used for forums/posts security and more. You can never have enough security I can say the same for people that never update the os and other parts of the system just because they don't want to convert or update their coding for the latest updates to work.