Security Vulnerability Concern

[yggdrasil]

I was not sure if I should post this, but I will since even if its true, some may not even consider this a security issue but a nasty bug. If it was a real issue I would not post this on public.

 

I have noticed lately that several hackers are registering in v6 using subdomain to the same installation where v6 is hosted. I have another v5 running and they never tried this. Only on v6 they are trying this.

 

Lets say your WHMCS installation is running on example.com

 

The fraudsters user are registered hosting accounts like this:

merchant.example.com or just anything random here + your actual domain name. They are attempting sub domains of the main domain.

 

The orders where stopped but its clear what they are trying to achieve here. A domain like that does not technically exists, so what they try is to bypass fraud checks you have or if they fail get registered automatically when a subdomain under your main installation. This is a hack attempt of some type. A normal user would never use a subdomain from the company they are purchasing the hosting.

 

What is really surprising is that WHMCS does not let this by nature in the ordering process if you have domains required for an order.

 

I cannot register an account using a subdomain, WHMCS will complain the domain is not valid (which is not).

 

But for some reasons the hackers bypass this check. There are no errors in the server and all I managed to find in the servers logs is that they go directly to this url:

cart.php?a=add&pid=1&domainselect=1

 

And then automatically to the product configuration:

cart.php?a=confproduct&i=0

 

Someone should try to test this more extensive. WHMCS should not be allowing subdomains on the domain ordering part.

 

Notice that this is not the same as ordering a hosting account with a subdomain or hostname on a server.

 

What is concerning is that the hackers must know some vulnerability that will allow them to pull them off using a subdomain on your main installation. Its only a question time before an order like this could pass. So someone should really check where the bug is that is allowing them to order sub domains or better, make some security checks on what this could potentially be harming an active installation.

 

Actually, I think last year, I suggest something which could stop this attempts but I was ignored. What I suggest would even prevent this type of attacks in the future for any module in WHMCS. cPanel servers for example have a list of forbidden domain names, like gmail.com, google.com and others domains which should never be activated on a server. I suggest the same for WHMCS. There should be an option under WHMCS just like banned emails, called Banned Domains. You do not want to let users order domains like google.com or gmail.com on your own install. That can only be a bad thing.

 

You could be using a module that could potentially be dangerous if its ordered like that and activated in your services. How hard can it be to implement this? All the ordering process has to do before letting any user complete an order is to check this allowed list. At least as minimum, WHMCS should not let people order using your domain name right? It does not even have to be in the WHMCS GUI, even a text file in the server which you can manually update would work for most users.

 

Attacks like this would be completely stopped right on its track never allowing anyone to complete an order and trying to bypass any checks or get some service activated. Now I'm starting to see this attacks on v6. I don't know what the attackers want to exploit, but it must be something in WHMCS, because all I know is:

 

1. They know it's a WHMCS installation.

2. Its not cPanel security issue, because they ordered with subdomains in another product which is a manual module (nothing automated)

3. They didn't try this on my v5 installation, even while back then I suggest a domain ban list since I already knew this was a bad idea, but now on v6 I see this type of attacks

 

Assuming this I can say they are trying to get something activated under a subdomain in your main install and trick some cross domain check WHMCS probably has or browser have, and it will be easier for them using a subdomain under your main installation to pull the hack attempt. If I have to guess maybe it's a probably a SQL injection of some type that affects v6 installation and pulling them off under a subdomain activated in WHMCS will pass the security checks in place.

 

My first concern is finding out how they are even ordering with a subdomain. The domain check in v6 is some ajax check, which they are probably not using and sending POST requests directly to the server. I assume this are not just using JavaScript checks, if yes, most attackers have JS disabled so they can bypass any name/field checks.

 

Assuming this is nothing bad (which I don't think so, otherwise they are ordering with subdomain under your main installation) I'm at least still curious how they are bypassing WHMCS ordering process and using a subdomain.

[Infopro]

...

Actually, I think last year, I suggest something which could stop this attempts but I was ignored.

 

...

 

I think you're speaking of your post in the beta testers forum suggesting new features:

http://forums.whmcs.com/showthread.php?102311-7-small-Features-I-would-like-to-see-in-version-6

 

New Features need to be posted to the WHMCS Feature Requests site.

 

If you've got a security concern, you should open a ticket directly to WHMCS Technical Support.

[yggdrasil]

I think you're speaking of your post in the beta testers forum suggesting new features:

http://forums.whmcs.com/showthread.php?102311-7-small-Features-I-would-like-to-see-in-version-6

 

New Features need to be posted to the WHMCS Feature Requests site.

 

If you've got a security concern, you should open a ticket directly to WHMCS Technical Support.

 

I don't know if there is a security concern because so far I stopped the orders.

 

But I know there is a bug somewhere that is allowing them to order hosting accounts with subdomains. Not one time, but several times so far. I'm still researching how they are doing this as I cannot seem to order with a subdomain myself.

 

The feature request sites does not work for me. I don't know why, but its very slow and does not allow me to either log in or post anything. It will always timeout, browsers can only wait for sometime...

 

It only happens with that page on the whmcs site. All others load fine. Trust me, I tried. But I don't have patience to wait for 20 minutes and multiple attempts each time I want to comment something there, or suggest a feature.

 

Personally, I think the feature requests should be part of this forum, part of the community and not require an extra login either.

Edited February 29, 2016 by yggdrasil

[Infopro]

There have been a few upgrades to the Features site recently that may have sorted any issues you were seeing. I was seeing some slow downs as well. Not now though, seems to be running pretty good.

[yggdrasil]

There have been a few upgrades to the Features site recently that may have sorted any issues you were seeing. I was seeing some slow downs as well. Not now though, seems to be running pretty good.

 

I don't think that is the case because I always had those issues with the Features Requests subdomain. Even last year. Its always slow and takes forever to respond to any action like posting a comment or sending a feature. Only voting seems to work, even that takes like 10 or more seconds to confirm as well.

 

It's the service they are using which is horrible slow or overloaded. I'm not even sure why they are spending money on that service when they can build the same on this Vbulletin software forum by using prefixed tags in the posts and voting options. In a special category only for requests this would work. Maybe not as fancy, but at least it would work as opposed to their current page. It would also promote the community here. Just look how people comment and discuss some features. So that should be part of the discussion here, not on a voting idea site.

[WHMCS John]

Hi,

If you believe you have identified a security concern, we welcome responsible disclosure and have a security bounty program to verify and reward the reporting of such matters: http://www.whmcs.com/security-bounty-program/

 

I would encourage you to report your concerns at the above website.

[yggdrasil]

Hi,

If you believe you have identified a security concern, we welcome responsible disclosure and have a security bounty program to verify and reward the reporting of such matters: http://www.whmcs.com/security-bounty-program/

 

I would encourage you to report your concerns at the above website.

 

I'm still investigating this. But I found out how they are landing on the pages since I spotted yesterday night another attempt but this one I catched the hacker live and tricked him into a honeypot to get more information.

 

They are basically doing a Google search for WHMCS carts like this:

 

Texas hosting inurl:cart.php

 

Then just click on all WHMCS installation and start ordering.

 

Do you think this hook:

http://docs.whmcs.com/Hooks:CartSubdomainValidation

 

Or the domain hook could work to check a list of not allowed domains/subdomains before ordering and block them?

 

Even if there is no security problem here, this is really getting out of hands. Now basically almost half of the accounts are closed because they are fraud. To have so many customers ID's, invoices and other data which is invalid is just basically creating trash data on my live database. And I don't delete the fraud accounts for security/investigations purposes. Invoices and ID's are unique, so they are basically increasing the counters for nothing.

 

I also noticed that it's the same malicious person in some cases, even using exactly the same registration data a few days later. Even when they where blocked before, they register a week later with similar details. So this is automated or semi automated or are just playing on the probability chances, that a small % of installations will allow them to proceed.

 

I would seriously suggest someone on WHMCS to setup a dummy WHMCS installation online with some dummy data, and let it be hit by bots and hackers. Then you are going to see how nasty the problem is.

 

The bots don't even bother to check if it's a real company with a real product. If you block one product (which I did by putting them out of stock the second the hacker tried to order) he goes back and tries to order another product. Any product. Some are clearly robots because from the time they land on the cart to to completing the order it takes less than a few seconds in total so even something as detecting how fast someone is ordering would stop them because a human person does not do all that in just a few seconds.

 

All they want is WHMCS access as a customer account. And they order first because they assume most WHMCS installations don't allow registration without ordering something first.