WHMCS Exploit

[imtiax]

A User sent me a message today requesting $15 because he says he found a vulnerblity.

 

I really don't think I should have to pay him $15 for this, maybe one of the WHMCS staff can tell me which file he loaded.

 

I did not edit any WHMCS files, what ever was in the latest version is on my server.

 

This is a picture of the message he sent me. http://i.imgur.com/MO6G3hi.png

 

Note that, I do not have any debug mode running.

 

 

--

 

Can someone tell me what file he ran, There are no shells loaded on my server, everything is secure. It is something to do with one of the WHMCS files.

[imtiax]

Edit:

 

I talked to my host and they provided the solution

 

You add

 

<?php

if(isset($_GET['licensedebug']))

{

unset($_GET['licensedebug']);

exit('Sorry');

}

?>

 

To the top of your configuration.php file

 

So that

 

http://cryptic-hosting.net/?licensedebug

 

Does not work any more.

 

[Bubka3]

That's not an exploit, that's intended.

[imtiax]

<?php
if(isset($_GET['licensedebug']))
{
unset($_GET['licensedebug']);
exit('Sorry');
}
?>

 

Will adding that code To the top of configuration.php be a problem or cause conflict with any other files?

Edited February 2, 2013 by imtiax

[WHMCS Chris]

Yeah this isn't an exploit by any means. Its intended functionality of the licensing system.

[Daniel]

<?php
if(isset($_GET['licensedebug']))
{
unset($_GET['licensedebug']);
exit('Sorry');
}
?>

 

Will adding that code To the top of configuration.php be a problem or cause conflict with any other files?

 

Nope, it won't cause a problem.

[bear]

I think I'd remind the person that sent you that about the laws regarding extortion. Demanding money to reveal something potentially damaging is against the law in most places.

[Daniel]

Makes you wonder how many people fall for it and end up paying up too.