New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I don't have to. They are full of bullshit.
From the WHMCS Blog:
"Please note that due to the nature of SQL Injection attacks, it is possible to do more that just information disclosure if the attempt was successful. We encourage you to look at the injected values and identify the exact SQL statements used by the attacker from the log entries prior to applying the patch; from this information you can known what database values the attacker was seeking to access or update."
From my understanding an attacker can get all kinds of information from the db using this attack vector and the extra security steps will not prevent a data leak.
Please provide the exact code for doing that. Alternatively, please provide a link to code posted somewhere for doing that. Right now the ONLY exploit is getting admin password hash.
It is my understanding that an attacker can break into any bank and get all kinds of information from the db. So now what? We should all close our bank accounts?
Man, if you didn't understand what that vulnerability was, here it is:
It allows you to run any SQL code if you start it with "AES_ENCRYPT". So people didn't even have to run that exploit code. They can just login to their client area and just type any SQL code they want starting with "AES_ENCRYPT(1,1), FIELDNAME=" and it'll be executed. So someone could just run this to drop the clients table: "AES_ENCRYPT(1,1), firstname=(SELECT * FROM (DROP TABLE tblclients))"
Got it?
Did you try it? Please provide the results. If that is too much work how about providing one verified known case of this being done to someone. Not the admin access because I know that is possible. Not read access either. I am talking about something not requiring admin access allowing changes directly to a sql database as you suggest.
I suggest you stop using whmcs if you are worried about it. Better yet cut all your internet access or make it so hard to use that you lose all your customers.
There...is...always...risk. If you cannot live with that you are in the wrong business.
@sman holy shit, you're insufferable. just stop...
Hmm.. alright. I won't waste my time here. Good luck!
How about, uhh, gee I dunno, learning SQL?
Anyone half competent at the language will tell you that the query mentioned will do exactly what @severian claims it does.
Stop arguing for the sake of arguing, several people did try it and were successful in getting access to unauthorized data.
Just because it's not publicized does not mean it's not happening.
@sman this is the code that was publicly released: http://localhost.re/res/whmcs.py
it has an "exploit" function where you can pass SQL statements. I assume anyone could have just passed "SELECT * tblclients" to get client info. anyone with SQL knowledge could have done anything (even write access) with the database easily.
Please provide one example. Surely if it is so easy and therefore must be happening then you can find at least one example somewhere in the world. I don't think this is an unreasonable request to counter your argument.
What example? I've so far nullrouted 6 people trying this on our (patched) WHMCS.
Yes I saw that. WHMCS is saying that the only thing they can do (not trivially either) is obtain the admin password hash. So who should I believe? WHMCS or you?
I've done some php coding involving sql database access and manipulation. It's not something I do a lot of so I don't claim to be an expert which is why I defer to WHMCS's explanation.
I am seeing the same thing. All I will say about that is I am only seeing the admin hash attempts.
I'm in the same boat as everyone else on this. Just trying to understand it and see what I can do better for risk management moving forward.
@sman I actually code to eat.
I just don't have access to a vulnerable WHMCS so I can't easily test. But if you want to provide that for me and pay me a fee. I will happily prove it to you.
After applying a patch your whmcs is safe from this exploit?
I do have a honeypot. I can probably downgrade it to 5.2.7 for you. Just send the bill to [email protected]
@sman I assume you can downgrade? I never worked with WHMCS (except for being a client) before so I'm not sure.
That's actually bullshit and statistics show that the majority of hacks are done against small businesses. Hackers are more likely to target small businesses because they're 'easy picking' since the average small business doesn't have the resources to implement sophisticated security techniques. The average WHMCS user would be a perfect example of that: someone with limited knowledge of security and programming compounding the problem by using an obfuscated script and relying on the software maker's word that the code is "safe".
Accepting a company's public relations/salesman's explanation as the gospel truth is a lot like accepting a politician's explanation as the truth.
What I mean is that the guys who are really good and make big money don't fart around with this minor league stuff. So yea the vast majority of hacking is done by script kiddies who aren't very good and mostly just do things like trying to delete databases and deface websites. They are young enough that they don't have to worry about any major consequences that daddy won't bail them out of.
Not sure what you mean by the second statement. I'm assuming everyone here has done some coding. It's not like php is all that difficult or uncommon. Especially in combination with mysql.
So no doubt you can say the same thing yes?
No they did not say that, l2read moron
The exploit script can be altered to execute ANY sql query...
Actually, there is a much more sinister reason for why the small ppl are targeted. That is the fact that law does not work for them they cannot make the police and FBI go after the perpetrators, those go after people hacking the big corporations or the FBI/NSA directly. Nobody cares about the little guys, except how to make them pay more taxes and how to bully them into giving up their constitutional rights and their customers.
So @Frost, willing to pay the bill to prove? JK
Has anyone here managed to get a successful prosecution of some hacking against them ? Did the police even listened to a complaint ?
Instead we know about raids and seizing of equipment, even against the law or abusing it.
Hackers target the little guys because it is safe. Hacking a bank is dangerous and you will not be able to spend the money even if you manage to get them, but gathering paypal accounts and stealing little money form each can work.
@Maounique I actually agree with your point.
@sman, here you go buddy. You made me get a dev license, download old WHMCS and install it and execute the SQL code and record it:
The code executed is AES_ENCRYPT(1,1), firstname=(SELECT * FROM (SELECT GROUP_CONCAT(email,0x3a,lastname,0x3a,phonenumber) FROM tblclients) as x)#
The WHMCS version is 5.2.3
I did read back and I am aware of what was said in this thread. It's all there. And even if he said something that was "wrong" or you didn't agree with, there's simply no way to behave and respond to that.
I realize it's not nice to be told you're wrong in public, but there's no reason to make this personal towards me because all I'm trying to do is to keep this place a bit decent. You telling people they're morons just because they may be wrong (regardless whether they are or not) is not helping!
We had a site hacked and defaced in 2001 (the only time we've had a site hacked), filed a report with the FBI as did several other small businesses that were attacked (a few dozen sites were hacked by this person), and the hacker ended up spending a year in federal prison. His arrest and prison time though had almost nothing to do with his hacking small businesses and almost everything to do with the US government using the hacking as an excuse to persecute the hacker for his beliefs and try to stifle free speech.
FYI, the FBI never contacted us after we made the initial complaint...they were obviously too busy with their witch hunt.
the hacker: http://en.wikipedia.org/wiki/Sherman_Austin
edited to add: the hack was done through a backdoor he'd hidden in a chat script he sold.
You're right, it's inappropiate to call ignorant people morons just because they have got proved wrong by 5 people and still don't believe it
No argument from me as WHMCS says that is what this exploit can do. You said the exploit allows you to DROP the table. Show me that.
I believe going to Settings>General Settings>Other>Locked Client Profile Fields and checking first/last name would take care of this but not sure. Would like to see that tested if you don't mind. Not sure if you need to also Disable "Allow client registration" without ordering but it does make them waste more time trying so sounds good to me.
As a matter of fact, SQL Injection does allow you to drop the table or even the whole database, or even read/write from/to a file to accessible directory "provided" that the mysql user that is associated with the whmcs has the permission to do so. Normally drop privileges are not granted to the mysql user to prevent it from doing something silly(like in this case, dropping the whole table or the whole database itself).
Why the focus is given on extracting information from the database is because
selectprivilege are usually granted(infact, almost all of the time, otherwise you won't be able to read anything such as client's hashed password for comparison during login and such) so it is given a higher importance as this is the problem that you'll see on the default setup. But if you're able to drop a table or database with the default setup then I have nothing to say(its either the db admin has accidentally granted the permission or a bug at mysql or you're using the root mysql user).I don't own a WHMCS license so I don't know what are the privileges that is given to the associated mysql user, but I believe that it won't grant the mysql user with drop privileges(for security purposes) so all is well.
Source: http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html