New WHMCS exploit (10-18-2013)

MannDude

Just a dude
vpsBoard Founder
Moderator
Not going to post the link to the exploit, but it can be found easily.

May want to pull your WHMCS installs offline. Looks like it can dump admin and member data. Thought it was already posted here but looks like it's in the private provider forum so sharing here too.
 

wlanboy

Content Contributer
Looks like you should shutdown your WHMCS instances again.

Usable via sviewticket.php.

This opens up a lot of other holes, for example we can write to /configuration.php whatever we want (PHP code included)
 
Last edited by a moderator:

MannDude

Just a dude
vpsBoard Founder
Moderator
Might want to merge that 3 threads on the same topic...
Woops.

Only two are public. I'll merge those. The one with the link in it is in the provider hangout and is only visible to providers.
 

Reece-DM

New Member
Verified Provider
This is getting ridiculous now!

Let's hope no one gets screwed by this.

Not looking for for WHMCS and the cPanel team.
 

Lee

Retired Staff
Verified Provider
Retired Staff
I was under the impression they did get 3rd party audits done, maybe I mis-read that.  They need to find someone else if they are.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
Lol, another exploit? Wow that's pretty bad, I'm curious as to what it is though...
Essentially, they recreated a misfeature of PHP called "register globals".  As a result, it is possible to manipulate the variables state to do an SQL injection.  That's pretty much the tl;dr.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they warn you in a manner that is impossible to miss when newly known unpatched exploits are out and about.
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
WHMCS does not send out any notification regarding security alerts until after the exploit has been verified which is usually when they have a patch for it.

Luckily we have 1 data center that keeps us updated of WHMCS exploits as soon as they hear about them (but the e-mails, PMs, and tickets are still appreciated for those who send them our way). ;)
 

NodeBytes

Dedi Addict
I'm not a WHMCS customer, but does WHMCS send out a mass email or have a method of warning of such things in the admin panel? It'd be a shame if there are people out there unaware of this exploit, and even worse if WHMCS wasn't sending out emails to their customers to inform them that they need to take action, whatever it'd be they'd recommend. I know they inform you of new versions available in the admin panel but am unaware if they warn you in a manner that is impossible to miss when newly known unpatched exploits are out and about.
No, without the forums and communities I would never know about these exploits.

I'm tempted to drop WHMCS, I don't trust my client's data on it anymore. But their isn't much that compares that's self hosted.
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
Awesome.. I just updated 3 installs... Wish that WHMCS would provide multi-company support!!!!!! Oh well...
 
Top