WHMCS - Horrific Cleaning of variables leaves multiple zero-day possibilities

[D. Strout]

He's forcing wmhcs' hand to pay attention and patch.

If that were what he were really doing we wouldn't mind, but what he's really doing is saying "na na na na poo poo, I've got an exploit". Holding it over our heads, trying to get everyone's attention with how smart he is. Otherwise he'd communicate privately with WHMCS.

 

[jarland]

 

lulz is doing nothing wrong here.  Would you rather he say nothing and others exploit?  He's forcing wmhcs' hand to pay attention and patch.  The ball is in their court.

 

Yes, I'd rather him not slowly release new exploits over a long period of time to intentionally cause chaos in the market. You say he's not doing anything wrong because you are misunderstanding his intentions. He is threatening and attempting to scare providers because he is still bitter of the fact that he opened two "companies" in which he took people's money and delivered no product and still had the nerve to be angry at people for giving him a bad reputation about it.


Anyone who applies a "patch" to their WHMCS that he provides deserves what they get in return for it.

 

[XFS_Duke]

   


Yes, I'd rather him not slowly release new exploits over a long period of time to intentionally cause chaos in the market. You say he's not doing anything wrong because you are misunderstanding his intentions. He is threatening and attempting to scare providers because he is still bitter of the fact that he opened two "companies" in which he took people's money and delivered no product and still had the nerve to be angry at people for giving him a bad reputation about it.


Anyone who applies a "patch" to their WHMCS that he provides deserves what they get in return for it.

I'm almost positive the patch will be unencrypted... Don't have confirmation on that as of yet though... Just take a chill pill and let the work be done...

He did notify WHMCS... They know about it now... Let's give them time to fix it...

 

[MCH-Phil]

Not about attention, just warning. If they don't fix it, then you can't say no one warned you about the vulnerabilities...

A patch to fix this will be given to verified providers via private message on request along with all changes made to file documented.

If this were true your original post would say this.  Not 2-3 pages into the topic of you laughing with a big .|.. to everyone here.  If you have a fix post it.

 

[vanarp]

People say he is looking for attention. Again the same people comment more and help the thread to stay on the front page. What better punishment can be given than to simply ignore his posts? Of course you can read and follow his actions quietly to ensure your business doesn't get affected.

 

[D. Strout]

People looking for attention always get it, in some way, shape, or form. It might be in the form of "we all hate you", so if this guy is fine with that then yes, he has accomplished his objective. Who cares, though?

 

[mikho]

Because he isn't trying to get them to fix it. He probably didn't even contact Matt like he claimed. His number one desire is and has always been attention.

He is trying to do a zamfoo move and look like he is a big player.


There is no reason to discuss it in public within minutes/hours after submitting it to the developer.

 

[SeriesN]

Keep on bumping so that this thread can be on top and more skid will feel welcome.

 

[kaniini]

Observation: all the people complaining run WHMCS, as far as I can tell.

Resulting question: why not work on improving your security instead of all of this drama stuff?  If you can't take the heat, get out of the industry before you screw your customers.

 

[mr.tuppington]

Now I must get mad at their bad coding..

function {snipped}($arr) {

   global $whmcs;

 {snipped}

}

$whmcs = new WHMCS_Init();

$whmcs = $whmcs->init();

 

All of that is in the same file, no need to global it, as its already created the instance. I wonder where they learned how to program, -,-.

I fail to see why you're so mad about that snip of code...that's exactly how global scope variables are referenced.  PHP relies on many globally scoped variables.  Ones like these are just defined in userland, as opposed to super globals, which, are baked in.

http://php.net/manual/en/language.variables.scope.php

as its already created the instance

both an lvalue assignment ($whmcs = whatever) and the use of the keyword global (global $whmcs) are not compile time actions.  The are defined/exercised during runtime, and therefore whichever one is encounter FIRST during execution will determine the fate of the other.  So, only in the event that the function (function{snip}) is executed before the lvalue ($whmcs = whatever) might there be an issue.  it's no different than if you where to $GLOBALS['whmcs']...if you were to remove the keyword global, then substitute $whmcs with $GLOBALS['whmcs'] you'd get identical logic behavior (likely with some warnings about non-existent key 'whmcs', but still the same behavior if warnings are suppressed).  $GLOBALS is an empty super global array and is not populated unless register globals is enabled.

Even if the function were called first, the function's use of the global scope of $whmcs does not mean arbitrary user input can be injected:  the use of a variable in global scope is not the same as register_globals:

http://php.net/manual/en/security.globals.php

Curious, what does the forums PHP aficionados think? 

 

[GIANT_CRAB]

Now I must get mad at their bad coding..

function {snipped}($arr) {

   global $whmcs;

 {snipped}

}

$whmcs = new WHMCS_Init();

$whmcs = $whmcs->init();

 

All of that is in the same file, no need to global it, as its already created the instance. I wonder where they learned how to program, -,-.

My 2 cents here

Honestly speaking, there's no security issues with that usage but however, I must agree that there's no need to global it if $whmcs = new WHMCS_Init(); is in the same file of function {snipped}($arr) {global $whmcs;} and that the function is a public function.

Also, why would an experienced script kiddie/coder/programmer be mad about how terrible other people's code are?

I'm not even mad but from the way you type, you're extremely butthurt.

WHMCS (almost) always had security issues and shitty updates that are broken, so even if there are zero day exploits, its not a big surprise.

Hostbill isn't any better, ClientExec isn't any safer either.

From the way you speak, you (and WHMCS/HostBill/ClientExec) obviously need some PHP OOP lessons.

EDIT: See the post above me for TLR; edition

 

[RiotSecurity]

Eu simt că el are dreptate cu asta. I interzicerea pur și simplu pentru tine notificare? Cred că este adevărat, unii oameni sunt idioti adevărat.

 

[peterw]

Eu simt că el are dreptate cu asta. I interzicerea pur și simplu pentru tine notificare? Cred că este adevărat, unii oameni sunt idioti adevărat.

Google translate:

I feel he's right about that. I simply ban your notice? I think it is true, some people are truly idiots.

 

[RiotSecurity]

Da, ideea de prost de a interzice unei persoane care a fost tine și de pre-avertizare ajută ...

Google Translate:

Yeah, bad idea to prohibit a person who has been pre-warning you and help ...

 

[MartinD]

And who, pray tell, has been pre-warning anyone and helping anyone?

 

[peterw]

And who, pray tell, has been pre-warning anyone and helping anyone?

Noone. Their goal was to do as much damage as possible. Selfish egomanics.

 

[RiotSecurity]

Cred că toți trebuie să se calmeze și să le mulțumesc "lulzsecurity" pentru a ți-o dă la-cel puțin o șansă reală de a vă proteja dacă se întâmplă ceva.

 

[MartinD]

Well, I think you should re-read what's been going on here recently and then jump down from that 50ft horse you've saddled.

 

[vld]

Cred că toți trebuie să se calmeze și să le mulțumesc "lulzsecurity" pentru a ți-o dă la-cel puțin o șansă reală de a vă proteja dacă se întâmplă ceva.

Can you stop using google translate <whatever> > romanian? Not sure what you're trying to achieve.

 

[D. Strout]

I fail to see why you're so mad about that snip of code...that's exactly how global scope variables are referenced.  PHP relies on many globally scoped variables.  Ones like these are just defined in userland, as opposed to super globals, which, are baked in.

All true. But the bigger issue is: the original post was about bad input sanitization. This is not that. Come on @lulzsecurity, figure out what you're mad about. Or better yet, do something about it.