WHMCS Admin details showed in cliend Company field

Netix · October 27, 2013

Hello,

i have got this email:

Client ID: XXXX has requested to change his/her details as indicated below:

Company Name: '' to 'AES_ENCRYPT(1,1), companyname=((SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins))'

Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

and when i am go to client details i see admin emails and encrypted passwords in company name filed of this client.

Is this normal that field can run SQL query or there is problem with my configuration?

Thanx

TommyK · October 27, 2013

You probably haven't applied the latest security updates and you should upgrade now. Also you should probably check what harm might have been caused.

Matt · October 27, 2013

This was patched against in the v5.2.9 release so in any version later than that it poses no risk. If you are running an earlier version please update as soon as possible as there's been a number of important security updates recently (http://blog.whmcs.com/)

Matt

Netix · October 27, 2013

Thank you for fast replay.

Version was 5.2.7 and now it is upgraded to latest version.

DavidBee · October 27, 2013

Thank you for fast replay.
Version was 5.2.7 and now it is upgraded to latest version.

Can't you see the red upgrade notice next to the version? Its really careless of you not to upgrade your billing system.

Sign In

WHMCS Admin details showed in cliend Company field

Recommended Posts

Netix

Link to comment

Share on other sites

TommyK

Link to comment

Share on other sites

Matt

Link to comment

Share on other sites

Netix

Link to comment

Share on other sites

DavidBee

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members

Browse

Latest Activity

Blog

Technical Support

Important Information