HostingSecList - Security notices for the hosting community.


WHMCS Addresses 0day Rumor

WHMCS just released a statement about the 0day rumor that was circulating. They confirmed our original thoughts that the only vector was at the admin level.

"We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.

We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.

In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this - although please note this will also prevent admin list ordering from working fully in certain places."

They released a cookie overwrite hook in the event you are concerned:

Ongoing Discussion via WHT:
Our mailing address is:
RACK911 Labs
1110 Palms Airport Drive
Suite 110
Las Vegas, NV 89119

Add us to your address book

Copyright © 2013 RACK911 Labs, All rights reserved.
Email Marketing Powered by Mailchimp