Hacking Incident

[Infopro]

Just to update this thread, the email is legit. It's automagically sent out via the Features site:

http://forum.whmcs.com/requests.php

[Walter Blanco]

sorry to say, but a 0day exploit has been release today

 

obviously i'm not going to give a link, it has been downloaded 350 times, be aware of this.

 

show i report it to whmcs? if yes, how? (i'm not a customer yet)

[bear]

I'm not seeing that in any of the usual places. How sure it's a newer one than the ones already released on the 3rd and 18th?

[Walter Blanco]

I'm not seeing that in any of the usual places. How sure it's a newer one than the ones already released on the 3rd and 18th?

 

Different code (this one is coded in PHP, not in python), it explicitly says "5.2.8" and has been published today (19th October)

 

Downloaded now 382 times, it's spreading fast.

 

faster your seat belts

[bear]

Current WHMCS is 5.2.9?

 

Ah, I see it now. Recent mod_sec rules posted on WHT would not allow that to work as written. Not sure about if it would actually work in WHMCS. Best open an urgent ticket, to be sure.

Edited October 19, 2013 by bear

[bear]

I opened a ticket with WHMCS letting them know, but on closer inspection, it's a variant on the one released on the 18th. Line 61 shows that.

[Walter Blanco]

Yes, it's another sql injection using, different than the previous one.

 

We are looking at the same exploit, good to read you've opened a ticket since i can't

[Si]

Is this a vulnerability not covered by 5.2.9? Should we shut down AGAIN?

[bear]

I can't say for certain, but to me it looks like it's using the same sort of vector as the second one, the one that 5.2.9 is supposed to have fixed.