PHP and Website Security Social Media and News

The Growing Attacks of WHMCS Local File Disclosure Vulnerability

WHMCS Vulnerability

A lot of websites have been defaced and attacked for the previous months, most of these websites were vulnerable to SQLI, Timthumb Exlploit, and the rabid WHMCS Local File Disclosure Exploit. Most of the websites that were pawned by the WHMCS LFD Exploit are VPS Hosting Companies which resulted into mass defacing.

WHMCompleteSolution or WHMCS component is a client management, billing, and support for online businesses mostly used by hosting companies but the versions 3.x.x and some 4.x.x has a viral exploit that some website administrators took for granted. In this article we will try to look into this very viral exploit in order to promote security awareness. I’m not really sure who the pioneered this exploit since a lot of people have submitted to different Exploit databases regarding this vulnerability.

The vulnerable code is located under cart.php which contains:

There is a also a vulnerable code under the clientarea.php as what I read in Exploit-DB which has the same procedure in viewing the file diclosure.

Proof of Concept

Vulnerable Link: www.lolz.ph/cart.php?a=account&templatefile=../../../configuration.php%00

So if you view the source of the URL page, you should be able to see the $db_username and the $db_password which could be used for logging in to the FTP Login or the SSH, in fact sometimes you just need to change the username to root in order to login as the root of the box.

Local File Disclosure

How to Fix This Exploit

In order to resolve this issue, you need to upgrade your version to WHMCS V4.5.2 which can be downloaded under the My Licenses section of the client area as usual to download @ www.whmcs.com/members/clientarea.php. For the complete documentation about the WHCMS Upgrade click this link.

Other Resources:

http://myhosting.com/statusblog/2011/10/17/whmcs-vps-security-alert-patch-fix/

http://blog.whmcs.com/

Leave a Reply