WHMCS Security Advisory 2020-01-28

Just looking for some info.

How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

Comments

  • Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    (Cross-posted)

  • wdmgwdmg Services Provider

    Yes. Everything can be exploited with time and patience. No, you won’t find that here.

  • lentrolentro Hosting Provider

    @Arion4384 Congrats on your first post.

    @FAT32 said:
    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    (Cross-posted)

    Agreed. Thank you for your work!

    ISODME: Premium web hosting | Managed VPS services | U.S. based support | 99.99% uptime | isodme.com

  • SolaireSolaire Design TeamOG
    edited April 2

    @Arion4384 said: How is this issue exploitable

    Through the vendor directory according to the WHCMS docs. As this is not a black hat forum as pointed out by @FAT32 we will not write you a tool to exploit this.

    @Arion4384 said: What can be gained if it is exploited

    Every piece of data the user that runs the PHP process can access (and possibly more with the user of other non-WHCMS related exploits), including but not limited to database entries and possibly access credentials for services sold through WHCMS if left unchanged after purchase.

    @Arion4384 said: Is it High Risk

    If you care about your customers: yes.

  • I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

  • WSSWSS Retired

    We don't do that here. You're likely better off elsewhere.

    Thanked by (2)wdmg lentro

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • wdmgwdmg Services Provider

    @Arion4384 said:
    I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

    Why don't you just leave then? Your kind is not welcome.

    Thanked by (1)lentro
This discussion has been closed.