Skip to main content

Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released

Web Hosting software WHMCS vulnerable to SQL Injection

WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed.
The vulnerability was publicly posted by a user named as ‘localhost’ on October 3rd, 2013 and also reported by several users on various Hosting related Forums. He also released a proof-of-concept exploit code for this SQL injection vulnerability in WHMCS.
WHMCS says, as the updates have “critical security impacts.”, enables attackers to execute SQL injection attacks against WHMCS deployments in order to extract or modify sensitive information from their databases i.e. Including information about existing accounts, their hashed passwords, which can result in the compromise of the administrator account.
Yesterday a group of Palestinian hackers, named as KDMS Team exploited same vulnerability against one of the largest Hosting provider - LeaseWeb. After obtaining the credentials, attackers were able to deface the website using DNS hijacking.
Leaseweb Hosting hacked by KDMS Team

While all versions of WHMCS are affected by this vulnerability, WHMCS v5.2.8 and v5.1.10 have been released to address this specific SQL injection vulnerability.
Just after the release of exploit online, CloudFlare added a ruleset to their Web Application Firewall (WAF) to block the specific attack vector. They mentioned that CloudFlare Hosting partners behind CloudFlare's WAF can enable the WHMCS Ruleset and implement best practices to be fully protected from the attack.