WHMCS Vuln again?
- Thread starter H_Heisenberg
- Start date
We have been made aware of that website and we are monitoring it for any further postings but at this time, what has been posted is not details of an exploit. The user makes some kind of reference to globals not being necessary which is incorrect, and then goes on to reference one of the functions used in sanitizing user input in WHMCS, but doesn't provide any valid way of using that to exploit a WHMCS installation in the real world. Please rest assured that we always take security seriously, and will continue to monitor and respond as necessary to any new information.
says WHMCS...
says WHMCS...
deluxehost
New Member
Its an old one, but its real..its about a week or so old.
D. Strout
Resident IPv6 Proponent
Yeah, but they gave standard big company BS about how it isn't an issue and everything's OK and we're always vigilant. Yeah, right. A developer probably woke up from his before-lunch nap early and gave one file a once-over to make sure there weren't any glaring bugs. Then he went to lunch, then came back for his after-lunch nap.
So where is your billing and/or VPS panel, D Strout? All I see if you mouthing off about coders everywhere, be it WHMCS or SolusVM, saying how crap they are and that they do nothing.
"I know most of the major web "languages" out there, with proficiency in HTML, CSS, JavaScript/AJAX and PHP, as well as good familiarity with MySQL."
Does that qualify you as an expert who can do oh-so-much better?
"I know most of the major web "languages" out there, with proficiency in HTML, CSS, JavaScript/AJAX and PHP, as well as good familiarity with MySQL."
Does that qualify you as an expert who can do oh-so-much better?
Please, elaborate.
Anyway, I said this on LET:
So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.
Can he be more lame than this? Seriously, classic script kiddie stuff.
Curtisg, if you do infosec like you claim to, why can't you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?
The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful
Last edited by a moderator:
D. Strout
Resident IPv6 Proponent
@MartinD I'm not commenting on the code, I'm commenting on big companies who know they have a monopoly in the market. From that position, they just don't give a crap about vulnerabilities. Which is why I strongly suspect there was little concern about the possibility of vulnerabilities based on what was posted in the linked website, just enough to put out an "all clear" to keep the orders flowing in.
Last edited by a moderator:
wlanboy
Content Contributer
Programming looks so easy as long as you don't have a couple of customers
I don't want to find any excuses for SolusVM or for WHMCS but don't bash employees because of one sales/rep guy doing "first post then think about it" stuff.
You don't know how the companies tick.
All I know is that after some years of coding, after some colleague leave without any handing over, after some "customer want feature even if it breaks the design" and after some "it has to be finished at 11p.m." all code ends in something that you don't want to work with.
I don't want to find any excuses for SolusVM or for WHMCS but don't bash employees because of one sales/rep guy doing "first post then think about it" stuff.
You don't know how the companies tick.
All I know is that after some years of coding, after some colleague leave without any handing over, after some "customer want feature even if it breaks the design" and after some "it has to be finished at 11p.m." all code ends in something that you don't want to work with.
"The skid finds the exit; statement at the top of the udp.pl"Please, elaborate.
Anyway, I said this on LET:
So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.
Can he be more lame than this? Seriously, classic script kiddie stuff.
Curtisg, if you do infosec like you claim to, why can't you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?
The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful
Anyways, what ever happened to his VPS panel that he was 90% done? If it was truly 90% done then he's a coding machine since he did so much in a matter of days. I know he came knocking on my door asking for Stallion 1's code to see if we were "both on the same page" on how to integrate parts.
I'm fairly sure he's also the guy that appeared on #frantech claiming he would cancel "all of his services" with us unless he was allowed to audit Stallion 2's code.
Francisco
Last edited by a moderator:
Can I look at the code, please Francisco, ppppllll33333@@@@@555555553333333!!!!!!!!!!!!!
wlanboy
Content Contributer
I would have answered: "Thank you for your offer!"
Aldryic C'boas
The Pony
I tend to reply to these with expediting their cancellations for them. Forcibly.
WelltodoInformalCattle
New Member
jarland
The ocean is digital
Someone needs to teach this kid what it's like to get punched in the face, that's all I'm saying. I'm not being unfair, I needed a good punch in the face at one point in my life. I got it too. Anyone in Canada? Obviously I'm joking, except about his need for a cold introduction to reality. If his desire was security it'd be one thing, but those of us who have been following his actions for some time will not question his motive: to cause chaos in an industry that "rejected" him (because he repeatedly scammed people) by any means necessary. When he uses up this method, he'll move on to a new one. The ability to hide behind other people's bad code and mask it as something "good" for the "community" is just an unintended side effect of his current methods.Please, elaborate.
Anyway, I said this on LET:
So curtisg decided to run a PHP Analyzer (http://sourceforge.net/projects/rips-scanner/) on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.
Can he be more lame than this? Seriously, classic script kiddie stuff.
Curtisg, if you do infosec like you claim to, why can't you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?
The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful
Last edited by a moderator:
H_Heisenberg
New Member
So it's nothing serious and already known to the WHCMS team?
If it's the point then the site is probably fake and WHCMS is going to fix everything or has already fixed everything.
If it's the point then the site is probably fake and WHCMS is going to fix everything or has already fixed everything.
Just read his posts, half of the vulnerabilities he found involve non-public-facing PHP files; how does that make any sense? The original XSS one was closest to an exploit, but it's ridiculous since single quotes are never used for attributes anywhere in WHMCS source code (and to work the exploit would need a user-supplied variable to be displayed within a singly-quoted HTML attribute).
Last edited by a moderator: