Jump to content

Can't thwart hackers by requiring login to place orders


swinghosting

Recommended Posts

A couple times a year, I see a hacking attempt. The exact method differs, but they always start by creating a user account/order. I modified my template's cart template to show only a link to the login page if user is not logged in. Unfortunately, that doesn't do anything against attackers because WHMCS allows them to create an order directly by submitting POST data. The log file for a recent attack looked liked this:

 

[26/Oct/2014:08:26:09 -0500] "GET /account/cart.php?a=add&domain=register HTTP/1.1"

[26/Oct/2014:08:26:09 -0500] "POST /account/cart.php?a=add&domain=register HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "GET /account/cart.php?a=confdomains HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "POST /account/cart.php?a=confdomains HTTP/1.1"

[26/Oct/2014:08:26:10 -0500] "GET /account/cart.php?a=view HTTP/1.1"

[26/Oct/2014:08:26:11 -0500] "POST /account/cart.php?a=checkout HTTP/1.1"

[26/Oct/2014:08:26:13 -0500] "GET /account/cart.php?a=complete HTTP/1.1"

[26/Oct/2014:08:26:13 -0500] "GET /account/viewinvoice.php?id=258 HTTP/1.1"

[26/Oct/2014:08:26:14 -0500] "GET /account/clientarea.php HTTP/1.1"

[26/Oct/2014:08:26:14 -0500] "POST /account/dologin.php HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "GET /account/clientarea.php HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "GET /account/clientarea.php?action=details HTTP/1.1"

[26/Oct/2014:08:26:15 -0500] "POST /account/clientarea.php?action=details HTTP/1.1"

[26/Oct/2014:08:26:16 -0500] "GET /account/clientarea.php?action=details HTTP/1.1"

 

After creating the order, they attempted an SQL injection, which doesn't work, fortunately. They are able to do this via scripts without logging in, despite the fact that if you go to any of these pages on my site, all you get is a link to login!

 

1. Good God, why does WHMCS not use nonce?

→ That would completely solve this, yes?

 

2. WHMCS should realize this activity is too fast for a human to complete.

→ Sure, script kiddies would just add some dely…but still, this would be a good idea.

 

3. Why, oh why, does WHMCS not randomized table prefixes?

→ That way, any SQL injection attempt that managed to execute somehow would not know the table names. sheesh.

 

4. It would be nice if WHMCS had an option to disable anonymous orders. Is there a modification I can make to achieve this?

→ If WHMCS used nonce, my existing modifications would be sufficient, but my changes are useless if an attacker can simply submit an order directly via POST.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated