WHMCS <=5.2.12 PHP Object Injection

Posted by Saadi On Saturday 2 November 2013 4 comments
Hi all , was alot busy with my work ,  so now here comes some new stuff PHP object injection in all whmcs versions.

http://packetstormsecurity.com/files/123890/whmcs-phpobject.txt
http://blog.whmcs.com/?t=81138
http://www.securelist.com/en/advisories/55717


# Exploit Title               : WHMCS <=5.2.12 PHP Object Injection
                                  :Web Host Manager Complete Solution
# Date                         : 2013/10/24
# Exploit Author          : Saadat Ullah , saadi_linux@rocketmail.com
# Software Link          : http://www.whmcs.com
# Author HomePage   : http://security-geeks.blogspot.com
# Tested on: Server     : Apache/2.2.15 PHP/5.3.3

#PHP Object Injection

#Affected Versions:
WHMCS <=5.2.12

#Vulnerability Description
Poc

The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711

$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );

User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.

Some of the files which are calling sortableint() function are

/admin/configticketescalations.php
/admin/clientsinvoices.php
/admin/transactions.php
/admin/clientsnotes.php
/admin/affiliates.php
/admin/offlineccprocessing.php
/admin/supportannouncements.php
/admin/supporttickets.php
/admin/systemmailimportlog.php
/admin/clientscredits.php
/admin/clientsquotes.php
/admin/configservers.php
/admin/systemactivitylog.php
/admin/clientslog.php
/admin/clientstransactions.php
/admin/quotes.php
/admin/gatewaylog.php
/admin/systemadminlog.php
/admin/clientsservices.php
/admin/configadmins.php
/admin/todolist.php
/admin/invoices.php


#Independent Pakistani Security Researcher

4 comments:

Anonymous said...

Thanks for sharing very good tips about php .I really like this blog.
php

Unknown said...

http://hosthub.biz

Unknown said...

www.bdwebs.com

Piotr LA said...

This article has great values. I like to read your posts.
wez pozyczke

Post a Comment