The Hacker News Logo
Subscribe to Newsletter

Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released

WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed.

The vulnerability was publicly posted by a user named as ‘localhost’ on October 3rd, 2013 and also reported by several users on various Hosting related Forums. He also released a proof-of-concept exploit code for this SQL injection vulnerability in WHMCS.
WHMCS says, as the updates have “critical security impacts.”, enables attackers to execute SQL injection attacks against WHMCS deployments in order to extract or modify sensitive information from their databases i.e. Including information about existing accounts, their hashed passwords, which can result in the compromise of the administrator account.

Yesterday a group of Palestinian hackers, named as KDMS Team possibly used the same vulnerability against one of the largest Hosting provider - LeaseWeb. After obtaining the credentials, attackers were able to deface the website using DNS hijacking.
While all versions of WHMCS are affected by this vulnerability, WHMCS v5.2.8 and v5.1.10 have been released to address this specific SQL injection vulnerability.

Just after the release of exploit online, CloudFlare added a ruleset to their Web Application Firewall (WAF) to block the specific attack vector. They mentioned that CloudFlare Hosting partners behind CloudFlare's WAF can enable the WHMCS Ruleset and implement best practices to be fully protected from the attack.

Update (2:17 PM Monday, October 7, 2013 GMT):
LeaseWeb replied The Hacker News and posted updates on their blog, "This DNS hijack was quickly detected and rectified by LeaseWeb’s security department."

"The unauthorized name server change for leaseweb.com took place at our registrar on Saturday 5 October, around 19:00 hours CET / 1 PM EST."

"Our security investigation so far shows that no domains other than leaseweb.com were accessed and changed. No internal systems were compromised."

"Details of how exactly the hijack could have happened are not yet 100% clear at the moment of writing."

LeaseWeb also explained The Hacker News that They don’t use WHMCS-software (which is currently vulnerable to a zero day SQL Injection flaw) and they have their own in-house developed software for the Client Billing system.

"Right now, it appears that the hijackers obtained the domain administrator password and used that information to access the registrar."

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.