WHMCS 5.2.7 Vulnerability

perennate

@fcfc said:
5.2.7 yes

Are you sure it doesn't affect earlier versions? I would say disable access no matter what version you're using unless you have decoded code for your specific version.

fapvps

@perennate said:
Are you sure it doesn't affect earlier versions? I would say disable access no matter what version you're using unless you have decoded code for your specific version.

Earlier versions are affected.

irm

@perennate said:
Are you sure it doesn't affect earlier versions? I would say disable access no matter what version you're using unless you have decoded code for your specific version.

Im illiterate apparently, ignore my last comment

fapvps

Instead of adding new features perhaps they should focus on hardening the security of what they already have.

perennate

I went ahead and submitted tickets to most of the hosts featured on LEB in the last two months who are using and haven't disabled WHMCS yet. Some say they blocked it with mod_security rule.

seriesn

So who got hit?

fapvps

This has been out for at least 4 hours and I don't understand why we didn't receive an email from WHMCS themselves.

Jono20201

@seriesn said:
So who got hit?

No one I am aware of yet.

DewlanceVPS

You can check this by running this exploit on your own whmcs.

rds100

They should have at least tweeted and posted in their blog though...

HC_Ro

probably no one left in the office with access to do that, being at cpan conf

Jono20201

https://twitter.com/whmcs/status/385811317179052032

Nick_A

Such a strange way to put it in a Tweet.

CentrioHost

SecRule REQUEST_URI|ARGS|REQUEST_BODY "AES_ENCRYPT" "id:31337,phase:4,log,deny,msg:'WHMCS Fail'"

Setting this rule at mod_security will fix this for now.

DomainBop

@perennate said:
Probably. I'd recommend shutting off access to your WHMCS altogether though.

You should give that advice to WHMCS themselves. Their vulnerable installation is still online accepting orders. //facepalm

CentrioHost

Damn! Fuck off! As soon I reply this thread I got attack! Fuck this shit who did this to me!

Client ID: 31183 - Endang Sukandar has requested to change his/her details as indicated below:

>

First Name: 'Endang' to 'AES_ENCRYPT(1,1), firstname=(SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'

Last Name: 'Sukandar' to '1'

Company Name: 'Pribados' to '1'

Address 1: 'Parakan 9 ' to '1'

Address 2: '' to '1'

City: 'Bandung' to '1'

State: 'Jawa Barat' to '1'

Postcode: '17654' to '1'

Country: 'ID' to 'US'

Phone Number: '87654329' to '1'

Default Payment Method: '' to ''

Jono20201

@CentrioHost said:
Damn! Fuck off! As soon I reply this thread I got attack! Fuck this shit who did this to me!

I'm guessing your fix doesn't work then? Best to disable WHMCS.

CentrioHost

@Jono20201 It will not work, mod_sec rules already prevent it. However I take it down as well. Better not to take any risk. Privacy matters.

ErawanArifNugroho

@CentrioHost said:
Damn! Fuck off! As soon I reply this thread I got attack! Fuck this shit who did this to me!

Default Payment Method: '' to ''

It's a name of person in Indonesia.

CentrioHost

@ErawanArifNugroho Yes IP also from ID

DomainBop

patch released
http://blog.whmcs.com/?t=79427

CentrioHost

They released the patch. Just implement it..

http://go.whmcs.com/218/v528_Incremental

It seems only v5.2.7 has been affected.

Rallias

If the vulnerable code is what I've seen, people need to flee WHMCS in DROVES.

The fact that they explicitly whitelisted something to be unfiltered... that's not able to be called stupidity. That's a backdoor, plain and simple. What's to say they didn't just replace the whitelist with something else that they can easily find?

serverian

@CentrioHost said:
They released the patch. Just implement it..

It seems only v5.2.7 has been affected.

All 5.x are affected.

fapvps

That patch came out quickly. I hope they harden the security.

Awmusic12635

Neat thing Cloudflare did, got this email from them:

To our hosting partners using WHMCS,

A critical zero-day vulnerability was published today affecting any hosting provider using WHMCS. As part of building a safer web, CloudFlare has added a rule to our Web Application Firewall (WAF) to block the published attack vector.

To enable this rule, log into your account at CloudFlare.com, go to "CloudFlare Settings" -> "Security" -> "Manage WAF". Here you can enable the "CloudFlare Whmcs" rule to protect your website and billing system. Using this rule, hosting partners running their WHMCS behind CloudFlare's WAF and implementing best practices are fully protected from the attack.

Our friends at WHMCS quickly published a patch here: http://blog.whmcs.com/?t=79427

CloudFlare recommends applying the patch for your current version of WHMCS or updating WHMCS to version 5.2.8 to fully close this vulnerability.

Thanks,

• The CloudFlare Team

Copyright © 2013 CloudFlare, All rights reserved.

sman

@DamienSB said:
You should remove the link to the exploit. Make people work for it.

Yes, let's block the internets till it's fixed. Such practical advice.

There is already a fix out for this so the whiners who probably don't even use whmcs will have to find something else to whine about.

sman

@Rallias said:
If the vulnerable code is what I've seen, people need to flee WHMCS in DROVES.

The fact that they explicitly whitelisted something to be unfiltered... that's not able to be called stupidity. That's a backdoor, plain and simple. What's to say they didn't just replace the whitelist with something else that they can easily find?

Yes in 'droves' or gaggles even. Flee everyone flee...lol.

fapvps

@Fliphost said:
Neat thing Cloudflare did, got this email from them:

This is awesome... It will be nice if CF would add these 0 day type exploits as soon as they are discovered.

Awmusic12635

@fapvps Pretty decent response time for software that isn't theirs.