New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS Silent Exploit?
http://freevps.us/thread-10448.html
Just reposting. (Direct link: http://zoned.pw/?p=9)
Time for a WHMCS Zero Day?
Comments
Hmm.
ok
http://img802.imageshack.us/img802/464/baqx.png = image from zoned.pw post.
good old imageshack vuln: http://img802.imageshack.us/img802/464/baqx.83522d24ee.xml
freevps.us owner confirmed that curtisg used that Tor IP to log in/access the forum.
When reading that article, the first thing I think about is the localhost.re guy. I dunno why, but I get that vibe that they're the same person.
I don't know/care what this pretentious-as-fuck "infosec" bullcrap is, but I highly doubt the localhost.re guy is Curtis.
curtisg chats on freevps and is active there. Guess he moved there once vpsboard and LET banned him. I think freevps need to take action as well.
The localhost.re guy at least understands English, the zoned.pw clearly doesn't. While zoned.pw tried to emulate localhost.re style (for example with the image), he did a pretty fail job of it
Any idea if the vulnerability is real though?
Paraphrasing WHMCS staff: [removed]
I'll just quote what Matt said:
"We have been made aware of that website and we are monitoring it for any further postings but at this time, what has been posted is not details of an exploit. The user makes some kind of reference to globals not being necessary which is incorrect, and then goes on to reference one of the functions used in sanitizing user input in WHMCS, but doesn't provide any valid way of using that to exploit a WHMCS installation in the real world. Please rest assured that we always take security seriously, and will continue to monitor and respond as necessary to any new information."
Yes, rest in peace, errr, assured, our code has no bugs.
Well if the alert works then clearly it can be exploited to run less benign Javascript code... say, one that suspends all accounts.
Aww say it ain't so.....
If you disable JavaScript while in the ticket area as an admin, the issue shouldn't be as bad. At least from what I can tell.
shrugs
so like idk curtisg posted another "exploit"
http://zoned.pw/?p=27
So curtisg decided to run a PHP analyzer on decoded WHMCS code, and he's posting all the false positives, including "exploits" generated by the analyzer that don't actually do anything.
Can he be more lame than this? Seriously, classic script kiddie stuff.
Curtisg, if you do infosec like you claim to, why can't you find actual vulnerabilities? Why not write an actual exploit, you know, by hand?
The difference between you and a skid that runs ./udp.pl is null. Well, actually, at least that skid may be successful
^
Waiting to see who shuts down their WHCMS first.
Actually, I don't quite understand how that bug is. Expect, I think Magic Quote is depreciated!
Anyone shutting down WHMCS because of this?
http://freevps.us/thread-10453-post-122138.html#pid122138
curtisg claimed to have no part on this xd.
GetKVM did
Works here.
Are you sure? Check here
Or maybe not ;-)
Seems like the exploit would only work if some HTML tag uses ='' instead of ="" for attributes. But all the tags seem to use double quote. Of course, both are valid HTML.
He's not crazy, we did shut our corporate webserver down last night as it was late and there was no information released from WHMCS at the time. I didn't want to take any chances whilst I wasn't around to keep track of what was happening, what with all the problems of late with WHMCS/SolusVM.
http://us7.campaign-archive2.com/?u=c83ad39e562ce08576192372b&id=daa6b8c967&e=[UNIQID]
@GetKVM_Ash
Did you look at the exploit or just go into lockdown mode without thinking?
We contacted WHMCS and they said it was fine.
I looked at it, but it doesn't mean much to me since I'm not a PHP coder by any stretch of the imagination, i mean i know bits but nothing major.
After all the recent problems, i just thought to myself i either lock it down and get a good nights sleep, or leave it open for somebody to attempt whilst I'm not around (If its a legitimate problem) and end up too late to the show as we've seen happen over the last few weeks..
"We don't endorse this website, nor recommend you visit the link BUT HERE YOU GO ANYWAY"
Seems like one giant overreaction tbh.
And you're entitled to your own opinion good sir.
AND MY OPINION IS THAT MY OPINION IS ALWAYS RIGHT! /sarcasm
But really though, that line that says "we dont recommend visiting the link" and then directly linking just made me chuckle