amuck-landowner

New WHMCS Exploit

Jade

NodeServ
Verified Provider
Ahh, hope it gets fixed soon! We removed our billing system as well until this is fixed.
 

Aldryic C'boas

The Pony
It affected all 5.x, didn't check it on 4
It's an old file, from back in the <4.* days.  I find it very hard to believe that they would take a secure, working file and replace it with such a massive security hole - so there's every reason to assume that all WHMCS versions are affected.
 

lbft

New Member
The first provider emailing with bad news, ShardHost:

URGENT - Recent WHMCS Exploit

Upon investigation in light of the recent WHMCS exploit (http://blog.whmcs.com/?t=79427) it has been discovered that our client database was accessed as a result of using this exploit. Although client area passwords are not stored in plain text it is advisable that you change passwords as a matter of precaution. KVM root server passwords are not affected as these are not stored at all.

Although we patched our systems as soon as we were able to it seems we were one of the first targets. We have since restored a clean restoration of our billing system prior to the attack and have confirmed this is no longer vulnerable to the particular attack vector used.

We apologise sincerely for this breach of your trust and are deeply disappointed ourselves in the trust we place in WHMCS as a third part billing software provider.

If you have any questions on this matter, please contact us via support ticket; where we will be happy to discuss this matter in detail.

Again please accept our apologies on this matter.

I doubt this will be the last, unfortunately, although I'm more worried about the customers of the providers that either don't notify them or don't even know they were exploited.
 

rds100

New Member
Verified Provider
Everyone go and install mod_dumpio. Who knows when you would need to analyze the logs?
 

Aldryic C'boas

The Pony
The first provider emailing with bad news, ShardHost:

URGENT - Recent WHMCS Exploit

Upon investigation in light of the recent WHMCS exploit (http://blog.whmcs.com/?t=79427) it has been discovered that our client database was accessed as a result of using this exploit. Although client area passwords are not stored in plain text it is advisable that you change passwords as a matter of precaution. KVM root server passwords are not affected as these are not stored at all.


Although we patched our systems as soon as we were able to it seems we were one of the first targets. We have since restored a clean restoration of our billing system prior to the attack and have confirmed this is no longer vulnerable to the particular attack vector used.


We apologise sincerely for this breach of your trust and are deeply disappointed ourselves in the trust we place in WHMCS as a third part billing software provider.


If you have any questions on this matter, please contact us via support ticket; where we will be happy to discuss this matter in detail.


Again please accept our apologies on this matter.

I doubt this will be the last, unfortunately, although I'm more worried about the customers of the providers that either don't notify them or don't even know they were exploited.
Passwords aside - that's a lot of names/emails/physical addresses that just got leaked.  Those folks won't be happy.
 

CodyRo

New Member
Verified Provider
Everyone go and install mod_dumpio. Who knows when you would need to analyze the logs?
That is definitely useful but things such as WHMCS (or really any web application) should be behind a WAF. Most generic SQL injection rules would have prevented this - I know ours prevented the exploit from even getting to WHMCS.

I'd recommend taking a peak at ASL's modsec rules - they're robust and very well done (modular to boot as well)!
 
Top
amuck-landowner