Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


PSA: WHMCS Security Update You Probably Didn't Know About (Revenue Impacting)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

PSA: WHMCS Security Update You Probably Didn't Know About (Revenue Impacting)

dustincdustinc Member, Patron Provider, Top Host

For providers here using WHMCS, recently on June 20, 2023, WHMCS silently published a security update on their blog without any sort of email announcement or social media announcement. This affects all WHMCS versions prior to that date.

According to WHMCS, the security update is described as: “An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.

While not exactly client impacting, this could have resulted in lost revenue for providers, as it essentially allows bad actors to falsely mark invoices as paid, when it in fact was not.

To patch yourself from this vulnerability going forward, update your WHMCS to the latest version, or follow the patch set instructions mentioned at https://blog.whmcs.com/133735/security-update-2023-06-20

How to Check If You Were Previously Affected

The best way to check is by comparing payments made to you (within your merchant accounts) against the paid invoices within the WHMCS system.

Our team at RackNerd found that this vulnerability usually involves one invoice ID being factually paid and another unpaid invoice ID sharing the same transaction ID as the paid invoice. Typically, if there's malicious intent, a smaller invoice will be actually paid, with a larger invoice falsely marked as paid using the same transaction ID.

ATTN Providers:

To assist you further (which should not be a substitute for manually auditing, but still helps point you towards the right direction), our development folks at RackNerd have created an SQL query that you can run within your WHMCS database. This will help identify any duplicate transaction IDs that may exist within your WHMCS database. The query below is read-only and does not write any changes to your database, but we still recommend taking a backup before running any MySQL operations.

SELECT a.* FROM tblaccounts a JOIN ( SELECT transid FROM tblaccounts WHERE transid IS NOT NULL AND transid <> '' AND description NOT LIKE '%Refund%' GROUP BY transid HAVING COUNT(transid) > 1 ) b ON a.transid = b.transid WHERE a.transid IS NOT NULL AND a.transid <> '' AND a.description NOT LIKE '%Refund%';

After running the above query, sort by date (newest to oldest) and examine the "invoiceid" and "transid" columns. If you notice a "transid" being the same on different invoice IDs, you might want to manually check to see if that was intentional.

While WHMCS did not release specifics regarding the vulnerability as they mentioned "Further details about these issues will not be disclosed at this time", our observations suggest that it mainly affects providers using WHMCS in conjunction with Stripe.

Comments

  • MannDudeMannDude Patron Provider, Veteran

    It wasn't silent. They sent an email out about it.

  • dustincdustinc Member, Patron Provider, Top Host

    @MannDude said:
    It wasn't silent. They sent an email out about it.

    Hi @MannDude -- I'm glad to hear you did receive it (which should mean that some other folks did too). On our side, we didn't receive an email, though fortunately we did spot the blog post quickly (despite no social media announcement). I held off on making this post until the team and I could better determine the facts with regards to the impact of this vulnerability, and a clearer understanding of its patterns/behaviors (given the limited information available/disclosed by WHMCS so far). We also held off until we had wrapped up the SQL query that I've now mentioned in my original post.

    If you received the email... then my guess would be that the mass email they sent didn't fully finish sending to all active license holders, or something of that nature.

    I don't see any mention of it in the "Email History" section of the WHMCS client area either:

    image

    Thanked by 1MannDude
  • @MannDude said:
    It wasn't silent. They sent an email out about it.

    And you kept it to yourself :)

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2023

    And that's why you limit traffic to payment callback scripts. Or, at least, audit web server logs for POST requests made to them.

    Thanked by 1darkimmortal
  • DPDP Administrator, The Domain Guy

    @hellb0y said:

    @MannDude said:
    It wasn't silent. They sent an email out about it.

    And you kept it to yourself :)

    How sure are you he kept it to himself? :smiley:

    He could've shared or talked about it within his circle, or via other channels.

  • MannDudeMannDude Patron Provider, Veteran

    @DP said:

    @hellb0y said:

    @MannDude said:
    It wasn't silent. They sent an email out about it.

    And you kept it to yourself :)

    How sure are you he kept it to himself? :smiley:

    He could've shared or talked about it within his circle, or via other channels.

    I just assumed everyone else got the email as well.

  • MannDudeMannDude Patron Provider, Veteran
    edited July 2023

    Email from 06/21/2023:

  • emghemgh Member

    @dustinc said: Hi @MannDude -- I'm glad to hear you did receive it (which should mean that some other folks did too). On our side, we didn't receive an email

    Maybe it got lost during the RAID failure? :D

  • crunchbitscrunchbits Member, Patron Provider, Top Host

    @MannDude said:
    Email from 06/21/2023:

    Yeah we got the same email on 6/21/2023 @ 6:48AM. Had they not sent the email I don’t think I would have been so eager to update and check our database. I don’t use social media so I would not have seen it there.

Sign In or Register to comment.