Home / Vulnerability / WHMCS zer0 day allows malicious user to inject SQL commands

WHMCS zer0 day allows malicious user to inject SQL commands

The popular WHCMS, a client management and billing support solution for web hosting providers has released an emergency patch for its software after a SQL injection vulnerability has been found Thursday.

The vulnerability that was posted publicly on a blog  by “localhost” on October 3 allows malicious user to inject SQL commands.

By that zer0-day, any malicious minded user will be able to get information of existing WHCMS accounts. Hashed passwords can be obtain leading to compromised admin account.

What only needed is a valid existing user of the software WHCMS.

“The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information,” blogpost of WHCMS reads.

All versions of WHCMS softwares are affected but only versions 5.1 and 5.2 are provided patch as part of its accordingly “Long Term Support Policy.”

Source  : PCworld | WHMCS

About Clifford Trigo

Hi there! I am Clifford Trigo from the island of Bohol, come over here and lets have fun! :3 Just keep reading :D