Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS Security Update
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS Security Update

http://blog.whmcs.com/?t=83303

Security Issue Information

This Advisory provides resolution for a single security issue which was publicly disclosed. Specific information regarding that issue can be found below.

Case #3785
SQL Injection via Admin Credit Routines

=== Severity Level ===
Important

=== Description ===
An attacker who can function as an authenticated admin user with the ability to apply credits to an invoice can, using specially crafted input, cause the credit routines to execute arbitrary SQL commands if the target user has a credit balance known to the attacker.

Due to the many prerequisites necessary to successfully navigate this vector, a security impact level has been assessed as "Important". Information on security ratings can be found at http://docs.whmcs.com/Security_Levels

=== Resolution ===
Download and apply the appropriate software updates to protect against these vulnerabilities; information about software update releases is provided in the "Releases" section of this Advisory.

Comments

  • AnthonySmithAnthonySmith Member, Patron Provider

    Thanks, the contents of the patch are a little confusing though dont you think?

    old files and then a separate 5.2.15 folder, guess it was a rushed release.

  • @AnthonySmith said:
    Thanks, the contents of the patch are a little confusing though dont you think?

    old files and then a separate 5.2.15 folder, guess it was a rushed release.

    Yeah, it seems they might've released a messed up verison.

  • @AnthonySmith said:
    Thanks, the contents of the patch are a little confusing though dont you think?
    old files and then a separate 5.2.15 folder, guess it was a rushed release.

    Indeed old files are from a 5.1.5 build 3 patch release, I can see quite a few broken 5.2.x install arising from this.

  • AnthonySmithAnthonySmith Member, Patron Provider

    merry Christmas

    Thanked by 1rds100
  • VirtovoVirtovo Member
    edited December 2013

    Awesome. Where was it publicly disclosed? I notice Localhost is now down.

  • Let's wait for the fix of the fix then :)

  • Looks like the patch has been fixed.

  • mikhomikho Member, Host Rep

    Guess I'll do the update in the morning as a early christmas gift to myself. Oh joy.

  • Just updated and works fine.

  • jbilohjbiloh Administrator, Veteran

    How many exploits does this make for WHMCS just in 2013? It has to be past 10 now, right?

  • I wouldn't call this an exploit. If you can't trust your admins... fire them.

  • WHMCS deserves a Merry Xmas and Happy New Year? Wish could take a proper family break before charge back to the Internet Zoo 2014.

Sign In or Register to comment.