amuck-landowner

WHMCS - Horrific Cleaning of variables leaves multiple zero-day possibilities

lulzsecurity

New Member
Before you ask, I've alerted Matt from WHMCS today, I won't post exactly, but the cleaning is horrific. To give you a few sense about this,

Attacker A -> register, orders vps, due to improper cleaning on  whmcs part, we can abuse this.

Attacker A then gets full access to the machine using zero-day.

Improper cleaning of "$whmcs->sanitize_input_vars()". If legit admin user a for example does this:

Register, order vps but has special chars that were not filtered by cleaning, we can then break the cmd and exec()ute more commands.

Now I must get mad at their bad coding..

function {snipped}($arr) {

   global $whmcs;

 {snipped}

}

$whmcs = new WHMCS_Init();

$whmcs = $whmcs->init();

 

All of that is in the same file, no need to global it, as its already created the instance. I wonder where they learned how to program, -,-.

 

Multiple issues with poor coding, however a vulnerability if not patched could lead to multiple zero-days on anything/everything that uses cleaning and relies on it.

 

I will disclose exactly how to do this IF they do not fix it.
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
Whoever does work like that should not be allowed to program. There will be another explosion soon, or I'm an idiot. (Probably true anyway, but still...)
 

lulzsecurity

New Member
But lets prove everything is vulnerable...

from init class which is called for everything...

$_GET = $this->sanitize_input_vars( $_GET );

$_POST = $this->sanitize_input_vars( $_POST );

$_REQUEST = $this->sanitize_input_vars( $_REQUEST );

$_SERVER = $this->sanitize_input_vars( $_SERVER );

$_COOKIE = $this->sanitize_input_vars( $_COOKIE );
 

Nick_A

Provider of the year (2014)
I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?
 

lulzsecurity

New Member
I don't understand the point of threatening to put hosts at risk if a software company doesn't fix something you take issue with. Have they personally wronged you in some way or do you just like seeing things burn?
I'm not threatening, I alerted Matt from WHMCS(feel free to confirm) of these issues. 

Have they personally wronged me? No, not really.

Like seeing things burn? No
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...
 

lulzsecurity

New Member
The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.
 

lulzsecurity

New Member
The point is just simply they haven't put in proper cleaning, so I feel the need to announce it to providers to be on the lookout for possible hackers if they figure it out.
 

jarland

The ocean is digital
How about we don't try and bash the guy... Lets listen and try and help instead of being assholes to the person thats trying to get them to fix their mistakes... Just an idea...
Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.
 

lulzsecurity

New Member
Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.
Feel free to open ticket and ask, or:

rgtr.png
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
well jarland, I know for a FACT he spoke to Matt, wanna know how? Well it's simple. I put him in touch with Matt myself and I've spoken to Matt about this... So... Thanks but try again....
 

drmike

100% Tier-1 Gogent
Did you miss the part I won't release how to do it (which requires you need to know the code to trigger it) unless they patch it...?
 

No, I didn't miss that :)  I am not interested in a DIY recipe or howto, but for the doubters sake and your own, nothing wrong with finding a willing host and displaying the compromise effects (non maliciously of course).  

I am a skeptic, but open minded.  
 
Top
amuck-landowner