Jump to content

stop invalid name, email, and other fields on registration


Jowwow

Recommended Posts

I'm getting frequent registrations using AES_ENCRYPT as part of the form fields. It appears that WHMCS has ZERO validation rules for normal fields, only for custom ones. How can this be remedied. If they are putting in junk it should flat refuse the registration, not continue to allow it anyway.

WHMCS says this is not a vulnerability as it only puts it in sql as a text field. My view point is it should never be allowed in the 1st place. Can anyone help stop this from happening?

Link to comment
Share on other sites

You can try the following. This will error if anyone enters "AES_ENCRYPT" into any of the registration fields (even custom fields). It checks each field, a user can enter text into, for "AES_ENCRYPT" (case insensitive). If that string is found anywhere, they get an error and cannot submit the registration.

 

Under "includes/hooks", create a file called "prevent_aes_encrypt.php". Within that file, put the following code:

 

<?php

if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function prevent_AES_ENCRYPT($vars) {

 $firstname = $vars['firstname'];
 $lastname = $vars['lastname'];
 $companyname = $vars['companyname'];
 $email = $vars['email'];
 $address1 = $vars['address1'];
 $address2 = $vars['address2'];
 $city = $vars['city'];
 $postcode = $vars['postcode'];
 $phonenumber = $vars['phonenumber'];
 $securityqans = $vars['securityqans'];
 $customfields = $vars['$customfield'];
 $fields = array('firstname' => $firstname, 'lastname' => $lastname, 'companyname' => $companyname, 'email' => $email, 'address1' => $address1, 'address2' => $address2, 'city' => $city, 'postcode' => $postcode, 'phonenumber' => $phonenumber, 'securityqans' => $securityqans);

 if (in_array('aes_encrypt', array_map('strtolower', $fields)) || in_array('aes_encrypt', array_map('strtolower', $customfields))) {
   $error = 'You have entered invalid information in one or more fields.';
   return $error;
 }

}

add_hook("ClientDetailsValidation",1,"prevent_AES_ENCRYPT");

?>

Edited by SeanP
Link to comment
Share on other sites

You can try the following. This will error if anyone enters "AES_ENCRYPT" into any of the registration fields (even custom fields). It checks each field, a user can enter text into, for "AES_ENCRYPT" (case insensitive). If that string is found anywhere, they get an error and cannot submit the registration.

 

Under "includes/hooks", create a file called "prevent_aes_encrypt.php". Within that file, put the following code:

 

<?php

if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function prevent_AES_ENCRYPT($vars) {

 $firstname = $vars['firstname'];
 $lastname = $vars['lastname'];
 $companyname = $vars['companyname'];
 $email = $vars['email'];
 $address1 = $vars['address1'];
 $address2 = $vars['address2'];
 $city = $vars['city'];
 $postcode = $vars['postcode'];
 $phonenumber = $vars['phonenumber'];
 $securityqans = $vars['securityqans'];
 $customfields = $vars['$customfield'];
 $fields = array('firstname' => $firstname, 'lastname' => $lastname, 'companyname' => $companyname, 'email' => $email, 'address1' => $address1, 'address2' => $address2, 'city' => $city, 'postcode' => $postcode, 'phonenumber' => $phonenumber, 'securityqans' => $securityqans);

 if (in_array('aes_encrypt', array_map('strtolower', $fields)) || in_array('aes_encrypt', array_map('strtolower', $customfields))) {
   $error = 'You have entered invalid information in one or more fields.';
   return $error;
 }

}

add_hook("ClientDetailsValidation",1,"prevent_AES_ENCRYPT");

?>

 

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

and TYVM!!!! I have mod_sec in place but apparently it still allows them to save the data.

 

- - - Updated - - -

 

Hi,

 

You can write a small hook and make all kind of validation you like:

 

http://docs.whmcs.com/Hooks:ClientDetailsValidation

 

Regards,

Marco

 

Trying to learn how to do so. Thanks to siteox I now have a rough idea how to get started with hooks. I need to make one for passing a client login to Joomla so hopefully this will give me an idea how to do so. When you run a hook is it safe to pass the password or should that be done via the api?

Link to comment
Share on other sites

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

 

you can add as many hook actions in one file if you need,

@SiteOx provided a complete hook function that you need to add it to anyfilename.php inside your /includes/hooks/ directory

then try to access client area as a client and change some information with/without the blocked words.

 

also:

add_hook("WhenToRunThisHook", "PriorityOrOrderingNumber", "FunctionNameToRun");

Link to comment
Share on other sites

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

and TYVM!!!! I have mod_sec in place but apparently it still allows them to save the data.

 

Trying to learn how to do so. Thanks to siteox I now have a rough idea how to get started with hooks. I need to make one for passing a client login to Joomla so hopefully this will give me an idea how to do so. When you run a hook is it safe to pass the password or should that be done via the api?

 

sentq answered your first two questions well (thanks, sentq!). As for your question about authentication from Joomla...

 

If you are trying to auto authenticate a client from a Joomla, you wouldn't do that with a hook. You should use the AutoAuth feature:

 

http://docs.whmcs.com/AutoAuth

 

You can also use a Joomla bridge\autoauth module. There are some in the WHMCS app store. Just visit the following link, and search for "Joomla":

 

http://www.whmcs.com/appstore

Edited by SeanP
Link to comment
Share on other sites

tried a few not much luck...

@siteox I ran the hook and sure enough it triggers the error but suprisingly the AES_ENCRYPT is still added to the database LOL

 

It should prevent clients from registering if "AES_ENCRYPT" is in any of the fields. Are you using the API to add clients? I tested the registration forms, but didn't test any other methods of adding new clients.

Link to comment
Share on other sites

not that I know of, I"m using normal install and your hook. I only did what you said. I have a ticket open with whmcs regarding this and they said its working but I KNOW its not working in admin view and the idiot was just able to register ( w/o paying for service *sigh* ) and then changed it yet again on the address1 and address2 fields.

Sorry I'm answering so late, I'm getting notices you are responding.. I'll try to fix that right now.

Link to comment
Share on other sites

  • 1 month later...

Temp (half)fix that you can do until a proper fix is available:

 

Go to Setup -> General Settings -> Other

 

And there check "Locked Client Profile Fields" -> "Address 2"

 

This will prevent clients from changin the Adress 2 field without contacting you.

I figure the Address 2 field will not be used by most real clients so few will be affected when they need to make a change, while the hacking attempt always enter something in the second address field.

 

Not a permanent fix but it might help for now...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated