stop invalid name, email, and other fields on registration

[Jowwow]

I'm getting frequent registrations using AES_ENCRYPT as part of the form fields. It appears that WHMCS has ZERO validation rules for normal fields, only for custom ones. How can this be remedied. If they are putting in junk it should flat refuse the registration, not continue to allow it anyway.

WHMCS says this is not a vulnerability as it only puts it in sql as a text field. My view point is it should never be allowed in the 1st place. Can anyone help stop this from happening?

[SeanP]

You can try the following. This will error if anyone enters "AES_ENCRYPT" into any of the registration fields (even custom fields). It checks each field, a user can enter text into, for "AES_ENCRYPT" (case insensitive). If that string is found anywhere, they get an error and cannot submit the registration.

 

Under "includes/hooks", create a file called "prevent_aes_encrypt.php". Within that file, put the following code:

 

<?php

if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function prevent_AES_ENCRYPT($vars) {

 $firstname = $vars['firstname'];
 $lastname = $vars['lastname'];
 $companyname = $vars['companyname'];
 $email = $vars['email'];
 $address1 = $vars['address1'];
 $address2 = $vars['address2'];
 $city = $vars['city'];
 $postcode = $vars['postcode'];
 $phonenumber = $vars['phonenumber'];
 $securityqans = $vars['securityqans'];
 $customfields = $vars['$customfield'];
 $fields = array('firstname' => $firstname, 'lastname' => $lastname, 'companyname' => $companyname, 'email' => $email, 'address1' => $address1, 'address2' => $address2, 'city' => $city, 'postcode' => $postcode, 'phonenumber' => $phonenumber, 'securityqans' => $securityqans);

 if (in_array('aes_encrypt', array_map('strtolower', $fields)) || in_array('aes_encrypt', array_map('strtolower', $customfields))) {
   $error = 'You have entered invalid information in one or more fields.';
   return $error;
 }

}

add_hook("ClientDetailsValidation",1,"prevent_AES_ENCRYPT");

?>

Edited September 19, 2014 by SeanP

[imaticon]

Hi,

 

You can write a small hook and make all kind of validation you like:

 

http://docs.whmcs.com/Hooks:ClientDetailsValidation

 

Regards,

Marco

[Jowwow]

You can try the following. This will error if anyone enters "AES_ENCRYPT" into any of the registration fields (even custom fields). It checks each field, a user can enter text into, for "AES_ENCRYPT" (case insensitive). If that string is found anywhere, they get an error and cannot submit the registration.

 

Under "includes/hooks", create a file called "prevent_aes_encrypt.php". Within that file, put the following code:

 

<?php

if (!defined("WHMCS"))
   die("This file cannot be accessed directly");

function prevent_AES_ENCRYPT($vars) {

 $firstname = $vars['firstname'];
 $lastname = $vars['lastname'];
 $companyname = $vars['companyname'];
 $email = $vars['email'];
 $address1 = $vars['address1'];
 $address2 = $vars['address2'];
 $city = $vars['city'];
 $postcode = $vars['postcode'];
 $phonenumber = $vars['phonenumber'];
 $securityqans = $vars['securityqans'];
 $customfields = $vars['$customfield'];
 $fields = array('firstname' => $firstname, 'lastname' => $lastname, 'companyname' => $companyname, 'email' => $email, 'address1' => $address1, 'address2' => $address2, 'city' => $city, 'postcode' => $postcode, 'phonenumber' => $phonenumber, 'securityqans' => $securityqans);

 if (in_array('aes_encrypt', array_map('strtolower', $fields)) || in_array('aes_encrypt', array_map('strtolower', $customfields))) {
   $error = 'You have entered invalid information in one or more fields.';
   return $error;
 }

}

add_hook("ClientDetailsValidation",1,"prevent_AES_ENCRYPT");

?>

 

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

and TYVM!!!! I have mod_sec in place but apparently it still allows them to save the data.

 

- - - Updated - - -

 

Hi,

 

You can write a small hook and make all kind of validation you like:

 

http://docs.whmcs.com/Hooks:ClientDetailsValidation

 

Regards,

Marco

 

Trying to learn how to do so. Thanks to siteox I now have a rough idea how to get started with hooks. I need to make one for passing a client login to Joomla so hopefully this will give me an idea how to do so. When you run a hook is it safe to pass the password or should that be done via the api?

[sentq]

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

 

you can add as many hook actions in one file if you need,

@SiteOx provided a complete hook function that you need to add it to anyfilename.php inside your /includes/hooks/ directory

then try to access client area as a client and change some information with/without the blocked words.

 

also:

add_hook("WhenToRunThisHook", "PriorityOrOrderingNumber", "FunctionNameToRun");

[SeanP]

what does the last line do? specifically the , 1, I don't see that in the hooks section. Can you add multiple hooks per file?

and TYVM!!!! I have mod_sec in place but apparently it still allows them to save the data.

 

Trying to learn how to do so. Thanks to siteox I now have a rough idea how to get started with hooks. I need to make one for passing a client login to Joomla so hopefully this will give me an idea how to do so. When you run a hook is it safe to pass the password or should that be done via the api?

 

sentq answered your first two questions well (thanks, sentq!). As for your question about authentication from Joomla...

 

If you are trying to auto authenticate a client from a Joomla, you wouldn't do that with a hook. You should use the AutoAuth feature:

 

http://docs.whmcs.com/AutoAuth

 

You can also use a Joomla bridge\autoauth module. There are some in the WHMCS app store. Just visit the following link, and search for "Joomla":

 

http://www.whmcs.com/appstore

Edited September 21, 2014 by SeanP

[Jowwow]

tried a few not much luck...

@siteox I ran the hook and sure enough it triggers the error but suprisingly the AES_ENCRYPT is still added to the database LOL

Edited September 22, 2014 by Jowwow

[SeanP]

tried a few not much luck...

@siteox I ran the hook and sure enough it triggers the error but suprisingly the AES_ENCRYPT is still added to the database LOL

 

It should prevent clients from registering if "AES_ENCRYPT" is in any of the fields. Are you using the API to add clients? I tested the registration forms, but didn't test any other methods of adding new clients.

[Jowwow]

not that I know of, I"m using normal install and your hook. I only did what you said. I have a ticket open with whmcs regarding this and they said its working but I KNOW its not working in admin view and the idiot was just able to register ( w/o paying for service *sigh* ) and then changed it yet again on the address1 and address2 fields.

Sorry I'm answering so late, I'm getting notices you are responding.. I'll try to fix that right now.

[Dentoo]

Temp (half)fix that you can do until a proper fix is available:

 

Go to Setup -> General Settings -> Other

 

And there check "Locked Client Profile Fields" -> "Address 2"

 

This will prevent clients from changin the Adress 2 field without contacting you.

I figure the Address 2 field will not be used by most real clients so few will be affected when they need to make a change, while the hacking attempt always enter something in the second address field.

 

Not a permanent fix but it might help for now...

[netwood]

I created the "prevent_aes_encrypt.php" hook but they can still register.

Do I need to do something to activate the hook for customer registration?

If not, I guess the hook doesn't work.