WHMCS Vulnerability - Latest version

[SrsX]

Vulnerability discovered: 21/12/2013

Vulnerability public disclosure: 23/12/2013

Versions affected: All

ACL: Administrator

Critical: Semi/Partial

POC: Configuration -> General Settings -> Company Name -> VPS">board

Warnings: From here if an attacker wants they can figure out a way to execute raw javascript, if successful the frontend (public accessable end) may be executing raw javascript inplanted by the attacker.

Reported to vender: 21/12/2013

Image:

 

[yolo]

mehhh

 

[SrsX]

Just discovered a more serious vulnerability on invoices.

 

[yolo]

mehhh

 

[josephb]

Just discovered a more serious vulnerability on invoices.

Another day, another vuln.

Shame really.

 

[drmike]

JavasCRAPT.  Seriously, JS is rubbish and neverending horror.

I continue disabling and think JS spiffed sites for the most part need to think long and hard about the crap they are spewing. 

 

[NodeWest-Dan]

I don't understand how someone could get to your admin panel if you follow the steps on whmcs for securing and put it in a password protected directory.

 

[SrsX]

 

I don't understand how someone could get to your admin panel if you follow the steps on whmcs for securing and put it in a password protected directory.

 

Here is the issue - a vulnerability I reported earlier to WHMCS details a SQL injection on the clientside, if you inject that you are able to access the database, from there you can just modify things in the backend and/or read settings from the database, therefore you don't need access to the admin panel.