Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In with OpenID
Advertise on LowEndTalk.com

In this Discussion

New WHMCS Vulnerability

New WHMCS Vulnerability

MartinDMartinD Member
edited October 2012 in General

Heads up:

http://www.webhostingtalk.com/showthread.php?t=1198117

Relating to the Boleto payment gateway module.

Tagged:
«1

Comments

  • Why do they include these useless modules most people will never use..

    Anyone know what the exploit actually is? Just curious to see how they cocked up and missed it.

  • @AsadHaider Good question but some may use it, they should just open a up customer download area to download modules as needed or alternatively just delete what you don't need

  • Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

  • @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    Nope, no email here either... :/

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • If they did send one, it takes a while to arrive given the size of their customer base :)

  • Mon5t3rMon5t3r Member
    edited October 2012

    It was, or is this another "new" boleto module vulnerable?

    Yes! I'm with Carstensz Pyramid Server Now stop asking me please :D
  • qpsqps Member

    @Mon5t3r said: It was, or is this another "new" boleto module vulnerable?

    Another new vulnerability for this module. The second within the past few months, I believe.

    QuickPacket - Featuring OpenVZ, Xen and KVM VPS, Dedicated Servers, Co-location, R1Soft Backups in Atlanta & Las Vegas

    Thanked by 1Mon5t3r
  • InfinityInfinity Retired Staff
    edited October 2012

    @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    None here either, did you buy your WHMCS direct from themselves?

    我是一个巨魔 (;

  • Looks like their usual modus operandi - not notifying customers of a breach properly.

    I don't care how many customers they have and how long it would allegedly take, stuff like this is what you use things like Sendgrid for, as a company.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • aaaaaaaaaaaaaaaaaaand the folder has been deleted. Thank you WHMCS LET + WHT for informing me of this security exploit

    Cloud Shards | United Kingdom Representative
    Buffalo, Dallas, Los Angeles | 24/7 Global Support
    VPS, Dedicated and Atlassian solutions.

    Thanked by 1Infinity
  • Thanks for this, the folder has been deleted, not received any email although they claim they have sent them out.

    https://nodedeploy.com | Premium VPS Solutions | Managed

  • AsadHaiderAsadHaider Member
    edited October 2012

    WHMCompleteSolution (WHMCS) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'require' function in the modules/gateways/boleto/boleto.php script not properly sanitizing user input supplied to the 'banco' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

    Developer who wrote that module is a f***ing retard, whmcs are idiots for missing that.

  • Seriously? A RFI vulnerability? In 2012? What is wrong with them?

    President Of Operations/CEO/CFO/CTO/COO of my account
    image

    Thanked by 3Infinity Taz djvdorp
  • For those of you who didn't get the e-mail, check your spam filters.

    Alternatively, don't rely on WHMCS to send out e-mails. Get your own alerts to WHMCS security updates by subscribing to their "News and Announcements" forum and when they create a new thread you'll get an e-mail right away (I can guarantee the subscribe list on their forum is much smaller than their client list so when they send out a Mass E-mail to their clients it can take quite a while to arrive).

    Thanked by 3rds100 Infinity Oliver
  • @KuJoe said: Alternatively, don't rely on WHMCS

    I don't :) I waited for the LET whining to start

    Hostigation High Resource Hosting - SolusVM OpenVZ/KVM VPS
    Thanked by 1Oliver
  • @KuJoe said: For those of you who didn't get the e-mail, check your spam filters.

    Not had any emails at all, I use Google Apps for my personal mail.

    I also don't use my WHMCS installation on a public URL, it's used for backend client/services management and invoicing only (which I then manually email out).

  • Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

  • TazTaz Disabled
    edited October 2012

    @GetKVM_Ash said: Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    If you consider wht as big, and 80% wht members are at some part of their life were host (Which is most likely), and wht only has a fraction of all the hosts out here and more than 90% hosts out here use whmcs, WHMCS client base is HUGE!

    Time is good and also bad. Life is short and that is sad. Dont worry be happy thats my style. No matter what happens i won't lose my smile!

  • @GetKVM_Ash said: Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    I got an email, received at Delivery-date: Fri, 05 Oct 2012 15:12:12 -0400

    From: WHMCS Limited 
    Subject: WHMCS Security Alert
    Reply-To: noreply @ whmcs.com
    Precedence: bulk
    Sender: 
    Date: Fri, 05 Oct 2012 19:12:09 +0000
    
    Hostigation High Resource Hosting - SolusVM OpenVZ/KVM VPS
  • INIZINIZ Member
    edited October 2012

    Just got mine to few mins ago, they need better mail system since notifying about security alert should be done within minutes of it being patched or a large message like hostbill has when a new update is available.

  • I see no reason to not just go with HostBill.

    http://therealvpsreview.com Unbiased, Uninfluenced, Honest SSD VPS Reviews

  • @miTgiB said: I got an email, received at Delivery-date: Fri, 05 Oct 2012 15:12:12 -0400

    Thank you for confirming, i still have nothing yet.

    All i was getting at is that in the amount of time its taking them to get these out there, a lot of hosts could have been compromised due to releases on forums.

    Clients should be hearing things first from WHMCS directly. I mean don't get me wrong, im glad Martin posted this otherwise i wouldn't have a clue personally, but a lot of people that don't need to know (Non-clients & skiddys) know as well.

  • Thanks for the heads up. You can never be too cautious.

    jarland.me | Read about my new hosting experiment.

  • Just got mine

  • MartinDMartinD Member
    edited October 2012

    What I find amusing is people moaning and complaining about WHMCS releasing software that has bugs/security issues that they haven't checked. Surely then, if people think this, they will have checked their own systems for issues...including software they're running, no?

    Just a thought really. Can't moan about these things as we're all just as guilty.

  • joepie91joepie91 Member
    edited October 2012

    @MartinD said: What I find amusing is people moaning and complaining about WHMCS releasing software that has bugs/security issues that they haven't checked. Surely then, if people think this, they will have checked their own systems for issues...including software they're running, no?

    Yeah, great idea.

    ... only WHMCS uses Ioncube to encode their source, so you can't check it out for yourself.

    Yeah. Great idea, that Ioncube thing.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • @joepie91 said: Yeah, great idea.

    ... only WHMCS uses Ioncube to encode their source, so you can't check it out for yourself.

    Yeah. Great idea, that Ioncube thing.

    You can buy WHMCS fully decrypted

  • MartinDMartinD Member
    edited October 2012

    Doesn't really matter. We're all responsible for the security of our own systems so if we can't verify the security of the software being used, we're no better than WHMCS.

  • @GetKVM_Ash said: Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    I got an e-mail from them prior to my post (I guess I am one of the lucky ones, I use Google Apps also).

  • @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    I got the email before coming here and seeing this.

    __BitAccel__ - OpenVZ VPS / TUN, PPP 24/7 Support!
  • image

    vpsBoard.com - Now with over 450 members! A friendly community with active discussion. Come join us!

    IRC.FREENODE.NET #vpsBoard - Drop by and say, 'Hello'.
  • Just got this in an email:

    WHMCS Security Alert www.whmcs.com

    We have become aware of a security issue that exists in the third party Boleto module included in WHMCS releases. This can potentially be used to exploit a WHMCS installation.

    If you do not use the Boleto module, then the quickest and easiest solution is to simply delete the /modules/gateways/boleto/ folder entirely after which you will not be at risk.

    Alternatively if you do use the module, you can download and apply the patch to your installation here: http://www.whmcs.com/members/dl.php?type=d&id=138

    This issue affects all WHMCS versions.

    If you have any questions or need any assistance, please do not hesitate to contact us. We apologize for the inconvenience.

    Kind Regards, The WHMCS Team www.whmcs.com

  • Just got the email a few hours ago

    www.erawanarifnugroho.com - powered by Prometeus XenBiz | Server Uptime status - powered by Prometeus Xen Pune
    I'm not working for any providers in here, all my comments just my own opinion.
  • I received an email about an hour ago

  • Anyone actually seen the exploit yet? Another SQL injection?

  • @MartinD You make solid points. Honestly I don't mind this, there's going to be an exploit every now and then that people miss, it happens to the best of us. With cpanel taking an interest I'm not worried about whmcs. Cpanel isn't known for being without exploits either, but when you're on top it's impossible to employ a workforce that matches the man power of those with malicious intent against you that act collectively and individually.

    jarland.me | Read about my new hosting experiment.

    Thanked by 2KuJoe Maounique
  • I got an email to my personal email at 12.07AM (GMT) and to my business email at 2.40AM (GMT) so quite a difference.

  • Also received an email from WHMCS last night at 11:30 PM (UTC)

    Fusioned | KVM SSD VPS | LSI RAID10 | Netherlands 1Gbps | R1Soft | IPv4 & IPv6 | SolusVM
  • @apollo15 said: injection

    Even worse, a RFI according to this post

    President Of Operations/CEO/CFO/CTO/COO of my account
    image

  • @jarland said: @MartinD You make solid points. Honestly I don't mind this, there's going to be an exploit every now and then that people miss, it happens to the best of us. With cpanel taking an interest I'm not worried about whmcs. Cpanel isn't known for being without exploits either, but when you're on top it's impossible to employ a workforce that matches the man power of those with malicious intent against you that act collectively and individually.

    This has very little to do with manpower.

    This is an RFI, for crying out loud. And a stupidly simple one at that - one that could have easily been prevented with proper developers and source review.

    This is the kind of vuln you find in the code of someone that just started writing PHP 2 months ago.

    Appreciate my posts/software/guides? Donate (PayPal/Flattr/Bitcoin): http://cryto.net/~joepie91/donate.html | irc.freenode.net #lowendbox

  • KuJoeKuJoe Member
    edited October 2012

    For what it's worth, the Boleto addon was written by Boleto (not WHMCS) and is not encoded. While WHMCS is at fault for not reviewing the code, the same fault can be placed on the admins putting the files on their system.

    Thanked by 1MartinD
  • honestly I'm not sure how all of these SQL injections pop up...when I write stuff I always make sure to escape it (or now that I'm using MySQL PEDO I always prepare it) - client input should NEVER be trusted....

    @KuJoe agreed, they should definitely be checking their stuff

  • The software has a bug, someone finds it, it is fixed. What's bad here? This is what we should expect from WHMCS IMO, it's not as if they ignored it. All software has bugs...

    @MartinD said: If they did send one, it takes a while to arrive given the size of their customer base :)

    How would you know anything about the size of their custo.. oh wait. Never mind... ;-)

    Ransom IT | ɹǝpun uʍop sdʌ | vps down under | KVM in Sydney and Adelaide | OpenVZ in Adelaide
  • @Spencer said: You can buy WHMCS fully decrypted

    Then you can rename and edit each file/directory in order to be more secure from attack :D

  • I think WHMCS is great. It works just fine, it has many options and nice API. In addition, they fixed the bug on time and they did sent an email to let their customers know about it.

    What we do after upgrading is just delete all modules we don't need.

    New VPS Offers | KVM | Germany | 70GB HD | 768MB RAM | Unmetered BW

    Thanked by 2KuJoe HostCheetah
  • Never heard about Boleto but seems somebody else did.

    Instant OpenVZ/Xen VPS in UK, DE, US, FR, CH - PayPal, Skrill, Payza, Bitcoin, WM, PM, STP, OKPay, CashU, Ukash ...
  • Typing "boleto" into google doesn't turn up a payment processor for me. Is this even in existence anymore?

    I am no longer affiliated with IPXcore.
Sign In or Register to comment.