Tuesday, October 15, 2013

Web Hosting software WHMCS vulnerable to SQL Injection; emergency security update released

Inline images 2

WHMCS, a popular client management, billing and support application for Web hosting providers, released an emergency security update for the 5.2 and 5.1 minor releases, to patch a critical vulnerability that was publicly disclosed.

The vulnerability was publicly posted by a user named as 'localhost' on October 3rd, 2013 and also reported by several users on various Hosting related Forums. He also released a proof-of-concept exploit code for this SQL injection vulnerability in WHMCS.
WHMCS says, as the updates have "critical security impacts.", enables attackers to execute SQL injection attacks against WHMCS deployments in order to extract or modify sensitive information from their databases i.e. Including information about existing accounts, their hashed passwords, which can result in the compromise of the administrator account.

Yesterday a group of Palestinian hackers, named as KDMS Team possibly used the same vulnerability against one of the largest Hosting provider - LeaseWeb. After obtaining the credentials, attackers were able to deface the website using DNS hijacking.

Read more: TheHackerNews
QR: Inline images 1