amuck-landowner

WHMCS Vuln again?

concerto49

New Member
Verified Provider
We have been made aware of that website and we are monitoring it for any further postings but at this time, what has been posted is not details of an exploit. The user makes some kind of reference to globals not being necessary which is incorrect, and then goes on to reference one of the functions used in sanitizing user input in WHMCS, but doesn't provide any valid way of using that to exploit a WHMCS installation in the real world. Please rest assured that we always take security seriously, and will continue to monitor and respond as necessary to any new information.

says WHMCS...
 

D. Strout

Resident IPv6 Proponent
At least WHMCS has looked at the exploit instead of ignoring it
Yeah, but they gave standard big company BS about how it isn't an issue and everything's OK and we're always vigilant. Yeah, right. A developer probably woke up from his before-lunch nap early and gave one file a once-over to make sure there weren't any glaring bugs. Then he went to lunch, then came back for his after-lunch nap.
 

MartinD

Retired Staff
Verified Provider
Retired Staff
So where is your billing and/or VPS panel, D Strout? All I see if you mouthing off about coders everywhere, be it WHMCS or SolusVM, saying how crap they are and that they do nothing.

"I know most of the major web "languages" out there, with proficiency in HTML, CSS, JavaScript/AJAX and PHP, as well as good familiarity with MySQL."

Does that qualify you as an expert who can do oh-so-much better?
 

vld

New Member
Verified Provider
Its an old one, but its real..its about a week or so old.
Please, elaborate.

Anyway, I said this on LET:

So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.


Can he be more lame than this? Seriously, classic script kiddie stuff.


Curtisg, if you do infosec like you claim to, why can't  you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?


The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful :)
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
@MartinD I'm not commenting on the code, I'm commenting on big companies who know they have a monopoly in the market. From that position, they just don't give a crap about vulnerabilities. Which is why I strongly suspect there was little concern about the possibility of vulnerabilities based on what was posted in the linked website, just enough to put out an "all clear" to keep the orders flowing in.
 
Last edited by a moderator:

wlanboy

Content Contributer
Programming looks so easy as long as you don't have a couple of customers :D

I don't want to find any excuses for SolusVM or for WHMCS but don't bash employees because of one sales/rep guy doing "first post then think about it" stuff.
You don't know how the companies tick.

All I know is that after some years of coding, after some colleague leave without any handing over, after some "customer want feature even if it breaks the design" and after some "it has to be finished at 11p.m." all code ends in something that you don't want to work with.
 

Francisco

Company Lube
Verified Provider
Please, elaborate.

Anyway, I said this on LET:

So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.

Can he be more lame than this? Seriously, classic script kiddie stuff.

Curtisg, if you do infosec like you claim to, why can't  you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?

The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful :)
"The skid finds the exit; statement at the top of the udp.pl"

Anyways, what ever happened to his VPS panel that he was 90% done? If it was truly 90% done then he's a coding machine since he did so much in a matter of days. I know he came knocking on my door asking for Stallion 1's code to see if we were "both on the same page" on how to integrate parts.

I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.

Francisco
 
Last edited by a moderator:

Mun

Never Forget
"The skid finds the exit; statement at the top of the udp.pl"


Anyways, what ever happened to his VPS panel that he was 90% done? If it was truly 90% done then he's a coding machine since he did so much in a matter of days. I know he came knocking on my door asking for Stallion 1's code to see if we were "both on the same page" on how to integrate parts.


I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.


Francisco

Can I look at the code, please Francisco, [email protected]@@@@555555553333333!!!!!!!!!!!!!
 

D. Strout

Resident IPv6 Proponent
I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.
Oh boy, I better let him get a hold of that code right away, I'm going to be in pretty dire straits if I lose this one client.
 

jarland

The ocean is digital
Please, elaborate.

Anyway, I said this on LET:

So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.


Can he be more lame than this? Seriously, classic script kiddie stuff.


Curtisg, if you do infosec like you claim to, why can't  you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?


The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful :)
Someone needs to teach this kid what it's like to get punched in the face, that's all I'm saying. I'm not being unfair, I needed a good punch in the face at one point in my life. I got it too. Anyone in Canada? Obviously I'm joking, except about his need for a cold introduction to reality. If his desire was security it'd be one thing, but those of us who have been following his actions for some time will not question his motive: to cause chaos in an industry that "rejected" him (because he repeatedly scammed people) by any means necessary. When he uses up this method, he'll move on to a new one. The ability to hide behind other people's bad code and mask it as something "good" for the "community" is just an unintended side effect of his current methods.
 
Last edited by a moderator:

H_Heisenberg

New Member
So it's nothing serious and already known to the WHCMS team?

If it's the point then the site is probably fake and WHCMS is going to fix everything or has already fixed everything.
 

perennate

New Member
Verified Provider
So it's nothing serious and already known to the WHCMS team?
Just read his posts, half of the vulnerabilities he found involve non-public-facing PHP files; how does that make any sense? The original XSS one was closest to an exploit, but it's ridiculous since single quotes are never used for attributes anywhere in WHMCS source code (and to work the exploit would need a user-supplied variable to be displayed within a singly-quoted HTML attribute).
 
Last edited by a moderator:
Top
amuck-landowner