jeffuk Posted June 28, 2021 Share Posted June 28, 2021 I wasn't sure where to post this, but I wondered if any other WHMCS users have received emails like these? I have been contacted several times by individuals requesting a bounty for discovering that WHMCS has a clickjacking vulnerability. The email begins like this and targets clientarea.php Quote Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clickingon, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. I've ignored the emails but now the emails are getting a little more aggressive with threats of leaking this to black hat hackers. 0 Quote Link to comment Share on other sites More sharing options...
UnwilfulExpenditure Posted June 28, 2021 Share Posted June 28, 2021 1 hour ago, jeffuk said: I wasn't sure where to post this, but I wondered if any other WHMCS users have received emails like these? I have been contacted several times by individuals requesting a bounty for discovering that WHMCS has a clickjacking vulnerability. The email begins like this and targets clientarea.php I've ignored the emails but now the emails are getting a little more aggressive with threats of leaking this to black hat hackers. Initially, I thought it was another whmcs price increase! But I've come to learn its just spam 😂 Whilst there are many bugs in whmcs - a properly configured install isn't that vunerable compared to any other site, there are more flaws in whmcs that pose a significant risk than clickjacking! Don't engage or feed them and they should go away! Although that sounds like whmcs approach to support - Just give your site a once over to be sure but i'd guess the guy with the most western sounding name but broken english literacy skills will go away! 🙂 We had one on an old site, We offered to pay the bounty to their bank account - If they provide all tax details and photographic ID.... I was called a flurry of names, Sent threats and eventally they stopped replying! It must have been too much effort for $10k 😛 I only engaged because it was shut down and no clients used it anymore, We were testing 7.10 at the time on it..... Ahhh simple times! 0 Quote Link to comment Share on other sites More sharing options...
bear Posted June 28, 2021 Share Posted June 28, 2021 4 minutes ago, UnwilfulExpenditure said: Whilst there are many bugs in whmcs - a properly configured install isn't that vunerable compared to any other site This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS. "The server didn't return an X-Frame-Options header ". The fix: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html 0 Quote Link to comment Share on other sites More sharing options...
UnwilfulExpenditure Posted June 28, 2021 Share Posted June 28, 2021 7 minutes ago, bear said: This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS. Agreed, hence the Quote a properly configured install isn't that vunerable compared to any other site The link you shared was a nice read though - Never seen that site before! Out of a morbid curiousity - Do you think these spammers search for that particular php file to find installs? Because I'm pretty confident mine were fine - Certainly to the degree needed to prevent the average SK exploiting my site! I personally think it's just people chancing it, on whmcs installs (Amongst other SW) knowing that it's somewhat believable there are vunerabilities curious to hear your thoughts bear! Loving your pic btw and brian!'s 😂 0 Quote Link to comment Share on other sites More sharing options...
bear Posted June 28, 2021 Share Posted June 28, 2021 (edited) Do they search for a file? Many ways to find WHMCS installs. Simplest is a Google dork for the powered by line, which will find all those that had not paid to remove it. Second might be to look for a very common file/URL, then read the source for the base URL bit (yup, even in branding free licenses, this exists on all pages: "whmcsBaseUrl"). So secretive. 🙄 Of course, simpler still is trying to load a page from lots of sites within an iframe, and see what gets returned. If there's no header returned about Xframes, record that URL for a further look (odds are good there's tons). If they run WHMCS, they are accepting signups and are more interested in security (Joe Public with a cat related Wordpress won't have a clue), so it's a target they're more likely to get paid by reporting and so on Edited June 28, 2021 by bear 1 Quote Link to comment Share on other sites More sharing options...
UnwilfulExpenditure Posted June 28, 2021 Share Posted June 28, 2021 1 minute ago, bear said: Do they search for a file? Many ways to find WHMCS installs. Simplest is a Google dork for the powered by line, which will find all those that had not paid to remove it. Second might be to look for a very common file/URL, then read the source for the base URL bit. Of course, simpler still is trying to load a page from lots of sites within an iframe, and see what gets returned. If there's no header returned about Xframes, record that URL for a further look (odds are good there's tons). If they run WHMCS, they are accepting signups and are more interested in security (Joe Public with a cat related Wordpress won't have a clue), so it's a target they're more likely to get paid by reporting and so on Of course, Yeah - The logic behind the reasoning is sound. But don't you dare disparage my page about Lady Fluffs-a-lot, She is a true example of feline excellence. As a premium member of the site, you should know this 😛 0 Quote Link to comment Share on other sites More sharing options...
jeffuk Posted June 28, 2021 Author Share Posted June 28, 2021 29 minutes ago, bear said: This isn't a WHMCS bug. It's a server side setting that can easily be enabled/added and would work for all sites, not just WHMCS. Thanks for the link. I will go through it. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.