Posted by: Eric Hansen
security, Vulnerability, WHMCS
Recently I ventured into WHMCS, and decided that I did not like that the “company title” was a text instead of image. With this in mind, I began experimenting with the “company title” setting in WHMCS’ admin panel, and discovered that it’s prone to a potential security flaw.
While cross-site scripts (XSS) aren’t very dangerous these days it seems, WHMCS does not sanitize it’s input properly, and thus will allow any data to be entered. For example, if you put in <iframe src=”Http://www.google.com/”></iframe>, then at the top of the main client portal, it will display Google’s home page in an iframe.
The client will be redirected to www.google.com. While PHP code does not seem to be directly injected, you can easily trick the system into doing so by writing a simple PHP script with a header for an image (i.e.: header(‘Content-Type: image/jpeg’);) and put in your PHP code inside of there, and then just make the company title an img HTML tag.
I’m unsure what other versions of WHMCS are affected by this, but 4.4.2 is the most recent version.