Security breach?

[swilders]

Hello,

 

I've applied the last 2 security patches as soon as I received notification about them. This morning I found a new signup on our WHMCS install and the log shows the following:

 

Client Profile Modified - First Name: 'naksdnkas' to 'AES_ENCRYPT(1,1), firstname= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)', Last Name: 'asdasdas' to '1', Company Name: 'asdasdasd' to '1', Address 1: 'asdasdasd' to '1', Address 2: 'asdasd' to '1', City: 'sadasd' to '1', State: 'Bath and North East Somerset' to '1', Postcode: '56 564' to '1', Country: 'GB' to 'US', Phone Number: '435345345' to '1', Default Payment Method: '' to ''

 

Have I anything to worry about or do the patches prevent this?

 

I have ensured all admins have changed their passwords to be on the safe side.

[Matt]

Hi Shaun,

 

In recent versions of WHMCS, a submission like this poses no risk at all. This specific submission value was addressed and blocked in the 5.2.9 update so providing you're running 5.2.9 or later there is nothing to worry about. You do not even need to reset passwords, the attempted attack will simply fail on current versions.

 

Matt

[swilders]

Thanks Matt.

 

We're running 5.2.12. I just wanted to be 100% sure.

 

Thanks.

[synik4l]

Hi Shaun,

 

In recent versions of WHMCS, a submission like this poses no risk at all. This specific submission value was addressed and blocked in the 5.2.9 update so providing you're running 5.2.9 or later there is nothing to worry about. You do not even need to reset passwords, the attempted attack will simply fail on current versions.

 

Matt

 

 

What is being done about this problem overall? In one month there were 4 security problems. One of which was "Fixed" with another security breach. How can we feel safe using your product with exploits popping up all over the place. Are you guys getting an external security audit done? As this is completely ridiculous. Coming from a company your size and notoriety. Someone also tried this exploit on us last night. If I were you guys. I would ask localhost.re to remove those blog posts. So more people dont find it. As some people may not have updated in time. I'm worried about future bugs. Since it only took one guy a couple days to find major exploits in your code.

[WHMCS Chris]

Hello,

 

It's highly unlikely that it only took this individual a few days. It's more reasonable that he had a few and posted them in sequence intentionally causing a degree of panic. We are in the middle of performing internal auditing and reviewing new external auditors.

[whmuser87]

Hello,

 

It's highly unlikely that it only took this individual a few days. It's more reasonable that he had a few and posted them in sequence intentionally causing a degree of panic. We are in the middle of performing internal auditing and reviewing new external auditors.

 

While I am happy to hear you guys are doing some heavy auditing. I don't think you completely answered him. Honestly how can you say he had those planned already, and posted them in order to start panic. I understand the last one.....for the invoices...he could have held onto that one. But you guys fixed an exploit with another exploit. Looks like you guys spit out a quick fix. And then it took him a mere 13 days to crack that.This is all according to the dates on his site. So unless hes a mind reader and knew exactly how you guys were going to fix you code. I don't believe that's possible that it was planned.

[ebmocwen]

Just one thing to note, the fact that the AES_ENCRYPT post made it to your database does indicate that your mod_security rules might not be working - assuming that you have a current set such as the Atomicorp Gotroot set