New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Stop posting these really. Wait for people to patch it or remove their whmcs first then post it!
@Jack
I didn't notice until after posting :P
@serverian
And we're supposed to warn them how?
Last time this got posted here, people got hacked becase people seen it here first! You can mail to people you know like I did instead of posting it on a public forum with screenshots.
Posting them is the easiest way to let everyone know. Leaving it on a website that not everyone here reads opens up the exploit to those people.
I like how people are jumping at chances to point out exploits in WHMCS. To hell with people who might be using their software. Now every Tom, Dick, and Harry, can start exploiting into databases. Me for example. If I wanted to, I could do some pretty horrid things with this knowledge now that I know it exists.
TL:DR
Stop posting these exploits the moment they come to light. You're doing more harm then good. Give the people a chance to protect themselves.
@serverian
It's okay to post it on VPSB though?
How can they protect themselves if they don't know? Are we supposed to PM every single host on here? And then email the others? It sheds the exploit to light a lot easier, the more people that know about it.
If people are that worried, then stop using WHMCS for a while.
@CurtisG - rocking the IonCube decoder since '12
Check the forum of that thread genius.
No one is right here, it is all frustration and panic reactions, some people would rather know the source others would not, if everyone had the same option life would be dull.
Deal with it and move on, anyone with malicious intent alread has the RSS feed from that site to start with.
Anyway WHMCS down..
Someone should make a page with a live counter "time since the last WHMCS exploit"...
Isn't that kind of like asking people to stop the water from coming out of the faucet by putting their palm in front of it?
At least now I can test this before I patch it in order to call bullshit on the inevitable wild speculation on what it can and cannot do.
For now as far as I can tell if you put your whmcs in maintenance mode it is safe until a patch is available. Anyone disagree?
It is, but we moved our installation. Better safe than sorry.
What do you mean? Just changed the directory so people can't find it? What about cron jobs and other background things?
In a way it's better to post it then not to, some of us do have a whmcs installation but are not active here as a provider.
It is a sql injection, so if /includes/dbfunctions.php isn't accessible it should be okay.
Just remember this is all courtesy of Ixam-hosting. Wouldn't be surprised if it's tied to their operation in an attempt to hurt competition. They've defended hosting this website. Probably get a heads up and a fix out of it. Unless I'm confusing it with the lookalike website, zoned whatever.
Doesn't really matter where the site is hosted. And I don't find the guy guilty by posting these vulnerabilities. If these were real extreme vulnerabilities, then it would have been fine to blame this guy. However, these are just big jokes made by WHMCS clown team.
You realize that dbfunctions.php is an include file? And that the sample exploit doesn't need to access this file directly?
Let me say it in different words:
I was able to exploit our whmcs installation but after I put it in maintenance mode not anymore. Need anymore prove? Ofcourse moving it will always be better but it is 'safe'
Why? Because the .py file uses the viewtickets.php page, and you can't use the page anymore when it is in maintenance mode.
HOWEVER i do not know what pages you can use.
The guy with the blog has malicious intent. If he didn't, he wouldn't make sure to always arm people who don't know how to use the exploit with a script and tell them how to use it. I absolutely fault this jackass. Whmcs started it, sure, no reason to arm people against innocent hosts if your mission is just code accountability. We all know what this guy wants to do. He doesn't leave enough doubt as to that matter.
Sorry, I only read your last post :P
No probs, I understand your point of view.
Edit: sorry I'm stupid, it's POST data. I had something to search logs for it but it won't work.
Edit2: to catch script kiddies who don't bother modifying the exploit, you can do this to check if you've been hacked (replace path with your log directory). If you don't see this it's not a guarantee that you haven't been hacked, since user agent can be anything or even blank.
If Curtis actually had a malicious intend, he'd just hack the hosts without publishing anything.
I can confirm you cannot access anything when in maintenance mode from real world testing. Understandable but I don't know how the maintenance mechanism works so I wanted to confirm that for myself. The evil part requires them to know your admin directory as far as I can tell so if you are using a custom one (as per WHMCS recommendations) then that should buy you some time.
That blog is certainly not run by Curtis. Curtis created a new blog emulating localhost.re and posted a bunch of "issues" with WHMCS code which weren't really issues, and certainly not exploits.
You have to realize that guy is 1000x smarter than Curtis, lol.
You could just add some rules to your mod_security (also it'd be hard to find a way to exploit it in the first place if you have mod_security installed). But then someone might find a different attack vector, so maintenance mode or better yet disabling access to WHMCS completely gives greater security.