WHMCS Addresses 0day Rumor
WHMCS just released a statement about the 0day rumor that was circulating. They confirmed our original thoughts that the only vector was at the admin level.
"We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.
Ongoing Discussion via WHT:
We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.
In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this - although please note this will also prevent admin list ordering from working fully in certain places."
They released a cookie overwrite hook in the event you are concerned: http://go.whmcs.com/262/cookie_override_hook