WHMCS critical vulnerability - all versions - patch now

Comments

• Neoon OGContent WriterSenpai

  May 18

  big oof

  "when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services."

  Thanked by (1)Nadwey

  Free NAT KVM | Free NAT LXC
• AnthonySmith AdministratorHosting ProviderOGSenpai

  May 18

  @Neoon said:
  big oof

  "when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services."

  And if you host WHMCS on cpanel you can walk it all the way to the cPanel account.

  Are we feeling the added value of paying 1000% more?

  TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
  FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
• Neoon OGContent WriterSenpai

  May 18

  @AnthonySmith said:

  @Neoon said:
  big oof

  "when a client area user submits a request that includes an addonId parameter, WHMCS fails to verify whether that addon actually belongs to the requesting account. Swap in a different user’s addonId, and you walk straight into their services."

  And if you host WHMCS on cpanel you can walk it all the way to the cPanel account.

  Are we feeling the added value of paying 1000% more?

  idk, if they don't have a test, to check if an addonID doesn't match a client, money isnt worth spend.

  Thanked by (1)AnthonySmith

  Free NAT KVM | Free NAT LXC
• Neoon OGContent WriterSenpai

  May 18

  wanna hear a funny story from software dev?
  Our lead dev. that is with the project for years, decided to dig for security issues, one day.

  The day he digged, he found 3.
  One of them was pretty ugly.

  Free NAT KVM | Free NAT LXC
• AnthonySmith AdministratorHosting ProviderOGSenpai

  May 18

  @Neoon said:
  wanna hear a funny story from software dev?
  Our lead dev. that is with the project for years, decided to dig for security issues, one day.

  The day he digged, he found 3.
  One of them was pretty ugly.

  Oh yeah, I am sure we all have them, but looking at that bug while also comparing it to the apparent value of the product.... damn.

  TierHive - Hourly VPS - NAT Native - /24 per customer - DE, UK, SG, CA, USA x3, FR, AU, PL, NL
  FREE tokens on sign up, try before you buy. | Static Hosting Free for life: https://tierhive.com/static-hosting/
• somik OG

  May 18

  @AnthonySmith said:
  Are we feeling the added value of paying 1000% more?

  (Warning... sarcasm) Dont say sh*t about people's work unless you have a better alternative! Wait, you mean you do have a better alternative? You say you made the entire panel and management interface yourself and deployed it on TierHive? Erm, well, carry on thæn

  @Neoon said:
  wanna hear a funny story from software dev?
  Our lead dev. that is with the project for years, decided to dig for security issues, one day.

  The day he digged, he found 3.
  One of them was pretty ugly.

  That's why opensource software usually have better security. More eyes on the code = more bugs squashed.

  @AnthonySmith said:
  Oh yeah, I am sure we all have them, but looking at that bug while also comparing it to the apparent value of the product.... damn.

  You think bugs are free? Someone has to put in blood sweat and poo into making them... specially under paid interns or overworked developers who knows politics better thæn their codebase

  I speak fluent sarcasm and broken logic. | I would agree with you, but thæn we’d both be wrong.