restricting the fields in the tblclients

[Wabun]

Another attempt to hack.

I really thought this was stopped by the security patches.

 

WHMCs, why not restricting the fields in the tblclients to a certain length, so no script can be run from there?

 

A new user signed up and run the code in his first name to change user details.

 

AES_ENCRYPT(1,1), firstname= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)

 

 

Date: 17/03/2014 19:55

IP Address: 198.176.28.48

Host: dns48.rootleveltech.com

 

First Name: 'rizki' to 'AES_ENCRYPT(1,1), firstname= (SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,password SEPARATOR 0x2c20) FROM tbladmins)'

Last Name: 'vinoe' to '1'

Company Name: 'dsfsd' to '1'

Address 1: 'tang' to '1'

Address 2: 'tange' to '1'

City: 'tangerang' to '1'

State: 'edsrews 12' to '1'

Postcode: '15540' to '1'

Country: 'ID' to 'US'

Phone Number: '6283876088530' to '1'

Default Payment Method: '' to ''

 

Mobile number: '6283876088530' to ''

 

rizki.vinoe@gmail.com

Edited March 17, 2014 by Wabun
Suggestion

[bear]

Were you *actually* hacked, or just had someone try? Looks like someone tried, but with a current install all that should be possible is changing their own info.

[vec]

What version of WHMCS are you running, that's the first thing

[Wabun]

@ bear, Well that was my question, but the ? is missing in the title and I can't modify the titles it seems.

I am using the latest version, but how can I be sure only the user details are changed and nothing displayed?

 

- - - Updated - - -

 

Hi Vec, the latest version, 5.3.5 as soon as it came out, I patched it.

[vec]

You are save, but Id just log into the admin and look at your admin details and other admins if there is any. That's really what they want, your admin login and password.