WHMCS Security Advisory 2020-01-28

Just looking for some info.

How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

Comments

  • FAT32FAT32 OGSenpai

    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    (Cross-posted)

    食之无味 弃之可惜 - Too arduous to relish, too wasteful to discard.

  • Yes. Everything can be exploited with time and patience. No, you won’t find that here.

  • lentrolentro Hosting Provider

    @Arion4384 Congrats on your first post.

    @FAT32 said:
    Sorry but this is most likely black hat. Your account is found on some other major black hat forum. The way you phrase the question feels like you are trying to exploit it.

    Is it safe to say that you are searching for exploit to potentially break into some MineCraft hosts that you don't like?

    (Cross-posted)

    Agreed. Thank you for your work!

  • SolaireSolaire OG
    edited April 2020

    @Arion4384 said: How is this issue exploitable

    Through the vendor directory according to the WHCMS docs. As this is not a black hat forum as pointed out by @FAT32 we will not write you a tool to exploit this.

    @Arion4384 said: What can be gained if it is exploited

    Every piece of data the user that runs the PHP process can access (and possibly more with the user of other non-WHCMS related exploits), including but not limited to database entries and possibly access credentials for services sold through WHCMS if left unchanged after purchase.

    @Arion4384 said: Is it High Risk

    If you care about your customers: yes.

  • I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

  • We don't do that here. You're likely better off elsewhere.

    Thanked by (2)wdmg lentro

    My pronouns are like/subscribe.

  • @Arion4384 said:
    I don't play Minecraft, no. Been offered a reward for a successful PoC to gain a shell.

    Why don't you just leave then? Your kind is not welcome.

    Thanked by (1)lentro
This discussion has been closed.