Jon.Fatino
New Member
Thats a pretty bad one right there... Hope it gets fixed asap.
	
			
			Shamelessly copied it as well :wub:Nah, go for it, I don't mind.
Lets all include Buyvm support e-mail as well, then we can take the day offShamelessly copied it as well :wub:
It affected all 5.x, didn't check it on 4People now seem to be suggesting this only affected 5.2.7 ...I find that hard to believe.
You have bigger issues if you're still running 4.xIt affected all 5.x, didn't check it on 4
It's an old file, from back in the <4.* days. I find it very hard to believe that they would take a secure, working file and replace it with such a massive security hole - so there's every reason to assume that all WHMCS versions are affected.It affected all 5.x, didn't check it on 4
Including a python script to take advantage of it? Talk about responsible disclosure. -_-http://localhost.re/p/whmcs-527-vulnerability
tl;dr - A rather gaping security hole in WHMCS. I've taken ours offline - strongly suggest other providers do the same.
Passwords aside - that's a lot of names/emails/physical addresses that just got leaked. Those folks won't be happy.The first provider emailing with bad news, ShardHost:
URGENT - Recent WHMCS Exploit
Upon investigation in light of the recent WHMCS exploit (http://blog.whmcs.com/?t=79427) it has been discovered that our client database was accessed as a result of using this exploit. Although client area passwords are not stored in plain text it is advisable that you change passwords as a matter of precaution. KVM root server passwords are not affected as these are not stored at all.
Although we patched our systems as soon as we were able to it seems we were one of the first targets. We have since restored a clean restoration of our billing system prior to the attack and have confirmed this is no longer vulnerable to the particular attack vector used.
We apologise sincerely for this breach of your trust and are deeply disappointed ourselves in the trust we place in WHMCS as a third part billing software provider.
If you have any questions on this matter, please contact us via support ticket; where we will be happy to discuss this matter in detail.
Again please accept our apologies on this matter.
I doubt this will be the last, unfortunately, although I'm more worried about the customers of the providers that either don't notify them or don't even know they were exploited.
That is definitely useful but things such as WHMCS (or really any web application) should be behind a WAF. Most generic SQL injection rules would have prevented this - I know ours prevented the exploit from even getting to WHMCS.Everyone go and install mod_dumpio. Who knows when you would need to analyze the logs?
Did you get them to work with LiteSpeed?I'd recommend taking a peak at ASL's modsec rules - they're robust and very well done (modular to boot as well)!
