The Latest in IT Security

WHMCS SQL Injection Vulnerability in the Wild

07
Oct
2013

A few days ago, a zero-day SQL injection vulnerability in WHMCS was disclosed by localhost.re, along with the exploit code. It was quickly patched by the WHCMS team and rated as critical since it allows an attacker full access to the database hosting WHMCS:

The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.

Creating a valid login is very easy and allowed by default through the registration page.

WHMCS is very popular amongst hosts, and if you use it, you need to update/patch it ASAP!

Attacks in the wild

Due to its severity, we knew it wouldn’t take long before attackers started to use it in the wild. Yesterday we detected the first cases of servers getting compromised due to it. This is an example that was triggered on our honeypots:

First Name: 'USERX' to 'AES_ENCRYPT(1,1), firstname= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'
Last Name: 'LASTNAME' to '1'
Company Name: 'COMPANYNAME' to '1'
Address 1: 'USA' to '1'

As you can see, it is leveraging the SQL injection (by modifying the first name) to dump the user database along with hashed passwords from the database.

If you are using WHMCS, you have to update it now! Our users running our CloudProxy WAF are already protected by it, but we still recommend the update.

Leave a reply


Categories

THURSDAY, MARCH 28, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments