New WHMCS exploit (10-18-2013)

[MannDude]

Not going to post the link to the exploit, but it can be found easily.

May want to pull your WHMCS installs offline. Looks like it can dump admin and member data. Thought it was already posted here but looks like it's in the private provider forum so sharing here too.

 

[wlanboy]

Looks like you should shutdown your WHMCS instances again.

Usable via sviewticket.php.

This opens up a lot of other holes, for example we can write to /configuration.php whatever we want (PHP code included)

 

[rds100]

Might want to merge that 3 threads on the same topic...

 

[MannDude]

Might want to merge that 3 threads on the same topic...

Woops.

Only two are public. I'll merge those. The one with the link in it is in the provider hangout and is only visible to providers.

 

[Reece-DM]

This is getting ridiculous now!

Let's hope no one gets screwed by this.

Not looking for for WHMCS and the cPanel team.

 

[HostVenom - Brandon]

WHMCS needs to complete a third party security audit. 

 

[Lee]

I was under the impression they did get 3rd party audits done, maybe I mis-read that.  They need to find someone else if they are.

 

[BuyCPanel-Kevin]

Lol, another exploit? Wow that's pretty bad, I'm curious as to what it is though...

 

[kaniini]

Lol, another exploit? Wow that's pretty bad, I'm curious as to what it is though...

Essentially, they recreated a misfeature of PHP called "register globals".  As a result, it is possible to manipulate the variables state to do an SQL injection.  That's pretty much the tl;dr.

 

[spry]

dang! .. /facepalm

 

[MannDude]

I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they warn you in a manner that is impossible to miss when newly known unpatched exploits are out and about.

 

[KuJoe]

WHMCS does not send out any notification regarding security alerts until after the exploit has been verified which is usually when they have a patch for it.

Luckily we have 1 data center that keeps us updated of WHMCS exploits as soon as they hear about them (but the e-mails, PMs, and tickets are still appreciated for those who send them our way).

 

[NodeBytes]

I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they warn you in a manner that is impossible to miss when newly known unpatched exploits are out and about.

No, without the forums and communities I would never know about these exploits.

I'm tempted to drop WHMCS, I don't trust my client's data on it anymore. But their isn't much that compares that's self hosted.

 

[MCH-Phil]

Blog post updated, with patch.

http://blog.whmcs.com/?t=80223

 

[XFS_Duke]

Awesome.. I just updated 3 installs... Wish that WHMCS would provide multi-company support!!!!!! Oh well...

 

[ndelaespada]

Updated! now let's just sit and wait for the next exploit.

 

[concerto49]

It's still broken after the patch

 

[shovenose]

It's still broken after the patch

what's still broken?

 

[DalComp]

It's still broken after the patch

What is still broken?

What does the "evil" lines do? Just changing to invalid license key or is there any other harm?

 

[concerto49]

What is still broken?

What does the "evil" lines do? Just changing to invalid license key or is there any other harm?

This patch doesn't fix all the problems it seems.