SolusVM WHMCS Module Vulnerability

[weservit]

http://localhost.re/p/solusvm-whmcs-module-316-vulnerability

...

We are running everything in FCGI mode, but just to warn people who aren't.

 

[john]

great...

 

[drmike]

Wow.  That's a total hack job... Full access.

Wish this info would have waited until after their "audit"

 

[SkylarM]

and so it begins.

 

[blergh]

Shit happens.

 

[Chronic]

Hopefully providers act fast. I've got my popcorn ready.

 

[Patrick]

You can still be hacked even if your running in FCGI, just need to crash your php and guess time it restarts etc.

 

[kaniini]

I have to say that is actually a pretty brilliant exploit, owning the fact that it's a multi-part POST to Solus is amazing.

I am seriously impressed.

 

[ShardHost]

Lockdown just turned into shutdown.

 

[Steven]

As I said on webhostingtalk, something to make a note of, running fastcgi does not mean you are immune. All someone needs to do is crash your fastcgi processes or webserver. Furthermore, if you run whmcs on a cpanel server with default log processing times and fastcgi, your webserver will restart itself every two hours which makes it predictable.

 

[George_Fusioned]

Steven nice to have you here, welcome

 

[SeriesN]

Disabled Api aceess for now. Back to caveman days. Doing everything manually.

 

[upsetcvps]

chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.

 

[SkylarM]

chicago vps PLEASE TELL ME YOU'VE SEEN THIS.  PLEASE RESTORE MY FAITH.

God i'd hope so... THAT would be a mess.

 

[ShardHost]

As I said on webhostingtalk, something to make a note of, running fastcgi does not mean you are immune. All someone needs to do is crash your fastcgi processes or webserver. Furthermore, if you run whmcs on a cpanel server with default log processing times and fastcgi, your webserver will restart itself every two hours which makes it predictable.

Good advice and welcome.

Some different ways to resolve this:

1) Shutdown Solus

2) Disable API Access

3) Disable access from WHMCS install to Solus

4) Remove the rootpassword.php file

I think this is the tip of the iceberg.  This person at localhost.re is obviously very talented and this latest exploit is very elegant.  This is likely to get a whole lot messier before it gets better. 

 

[Steven]

4) Remove the rootpassword.php file

I wanted to mention, this is not the only file that is vulnerable as confirmed by sources on IRC.

 

[ShardHost]

I wanted to mention, this is not the only file that is vulnerable as confirmed by sources on IRC.

We had already removed the entirety of the SolusVM module. 

 

[D. Strout]

What fun. What will be next? I'm still waiting for the vulnerability in OpenVZ and/or KVM themselves. The main software of this industry is going to shit, anytime now it will be the actual technologies it is based on. $7/mo dedis or bust!

 

[Marc M.]

@D. Strout KVM vulnerabilities are less likely to occur, just because of the way it functions.

 

[kaniini]

What fun. What will be next? I'm still waiting for the vulnerability in OpenVZ and/or KVM themselves. The main software of this industry is going to shit, anytime now it will be the actual technologies it is based on. $7/mo dedis or bust!

The underlying technologies are okay.  The problem is that SolusVM, WHMCS etc are crapware written by incompetent people who have no business writing software, but get away with it because hosting is now the new kind of lemonade stand.  Don't believe me?  Look at that shovenose kid -- he launched a KVM VPS company without even knowing how to use KVM.

Quite frankly, if you don't understand your virtualization stack and enough about writing code to at least take a critical look at the software you are deploying, you don't need to be playing in this industry.

To be frank: let the incompetent providers burn.  It will be a huge win for consumers.