yggdrasil Posted June 12, 2018 Share Posted June 12, 2018 Today while doing something else I noticed that WHMCS allows anyone to upload files on the ticket form. I was wondering how safe this is for visitors and if maybe I should not remove the option from templates and only allow customers to see the upload form (only logged) but then it hit me that this is also possible by emailing the department... WHMCS has 2 measures as far as I know (since we can't see the code I don't if they do additional checks) regarding the security of those files. They rely on a white list (extensions) allowed and they also let you set a non public directory for files. The first one. I was wondering how easy it is to bypass by faking the extension or if you allow for example .zip, an attacker could then try to unzip this if they find a way to execute code on your server (trough another vulnerability). At least files are not public (assuming you are using the proper secure suggestions on WHMCS and have moved the upload folders out of your public root document). But then, since everything else is encoded in WHMCS we can't be sure of anything as nobody can see what they do or don't do and WHMCS didn't exactly had a great security record in the past. Using mime to check extensions? Not safe. I'm almost sure that WHMCS is not actually doing proper checks on files which makes me feel a bad awkward on even allowing users to upload them. But then, this is absolutely required for tickets and support. I would prefer to actually have a way to store them in a server that does not allow public execution of files. (static server, external to WHMCS or CDN). But then WHMCS would not have the option to configure this properly in the settings. I'm not saying here that WHMCS should do this. No. You can do this with your own script, cron, what ever and move them out of the WHMCS upload folder after they are uploaded but then the files link would be broken in WHMCS. Example, a staff user that clicks a file on his ticket would not work as the file is somewhere else. (broken link). For this to work I think WHMCS should have 2 additional settings: 1. A hook after a file was upload. To tell your script to move them to a CDN, static server, what ever. This could also be used to execute a security scan or something else you want on the files. 2. A setting in WHMCS that lets you set the full URL where those files will be now stored (they are now moved remember?) For anyone else interested, please see: https://www.acunetix.com/websitesecurity/upload-forms-threat/ https://paragonie.com/blog/2015/10/how-securely-allow-users-upload-files 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.