amuck-landowner

New WHMCS Exploit

C

CodyRo

New Member
Verified Provider
George_Fusioned said:
Did you get them to work with LiteSpeed?
Click to expand...
LiteSpeeds mod_security implementation is iffy at best (in my opinion - although they've done a better job at improving it). We personally put web applications that we don't trust / that are important behind Apache / mod_security to get the fullest effect. Far too many times we have seen wrong behaviour with mod_security rules under LiteSpeed.

I know some of the older ASL rules worked fine with LiteSpeed however the latest do not I believe.
 
George_Fusioned

George_Fusioned

Active Member
Verified Provider
Yeah, that's my experience too. Only had luck with older ASL rules until now, but to be fair they're improving mod_security support in each version.
 
terafire

terafire

New Member
Verified Provider
We took ours down this morning, and had as soon as we were back up we had some odd non-completed order sign-ups.
 
rsk

rsk

Active Member
Verified Provider
I just deleted the file when I heard about the exploit, waited for a bit, got the new "patched" update, uploaded the update, some idiot decided to try to exploit - he failed.

Hell, we don't really need a "panic" button hahaha, we just need software developers to use common sense when coding  :lol:
 
T

TJR

New Member
why not put your WHMCS behind an application firewall?  we did.  SQL injections are not happening here.  lots of free ones available online too.  A great way of protecting against future attacks
 
tchen

tchen

New Member
Or... Naxsi (which I'll give TJR the benefit of doubt on)


Edit :!Nvm, I see kujoe already mentioned it.
 
Last edited by a moderator:
MannDude

MannDude

Just a dude
vpsBoard Founder
Moderator
TJR said:
am I missing something here or are you guys just jerks?
Click to expand...
The later part. I think that they're under the impression you work for Cloudflare or something. I don't know. Ignore them.
 
KuJoe

KuJoe

Well-Known Member
Verified Provider
So does anybody here have any experience with NAXSI? I was looking into it but I won't have time to setup a test environment for it until next week and I wouldn't put anything into production without testing it so I'm looking for some feedback before I proceed.
 
V

VPSCorey

New Member
Verified Provider
We'll installed ASL onto my VM's running WHMCS / Hostbill to give it some exposure no immediate issues other than Hostbill requires curl_exec and curl_multi_exec apparently to some functions.
 
KuJoe

KuJoe

Well-Known Member
Verified Provider
NAXSI was a simple install and looking pretty nice so far. I've got it in learning mode for now but it looks like I could put it live without any issues. My only fear is that I'm developing our new control panel on WHMCS 5.2.x with Apache so I'll need to move that over at some point. :(
 
S

ServerBros

New Member
Verified Provider
We've had various users sign up and try this, my guess is they are just simply using the inurl: powered by whmcs on google. Thankfully they were quick in patching it, however a company the size of WHMCS should really have their code audited before release to prevent things like this not being picked up.
 
XFS_Duke

XFS_Duke

XFuse Solutions, LLC
Verified Provider
People on one of our WHMCS installs keep changing their first name to:

'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)

It isn't doing anything, but it's funny to see them register and try and try and try... lol
 
T

TJR

New Member
XFS_Duke said:
People on one of our WHMCS installs keep changing their first name to:

'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)

It isn't doing anything, but it's funny to see them register and try and try and try... lol
Click to expand...
we should be posting IP addresses, can black-list them.
 
You must log in or register to reply here.
Top
amuck-landowner