I.T. Security and Linux Administration

May 14 2011   10:41AM GMT

Security Vulnerability in WHMCS 4.4.2

Eric Hansen Eric Hansen Profile: Eric Hansen

Recently I ventured into WHMCS, and decided that I did not like that the “company title” was a text instead of image.  With this in mind, I began experimenting with the “company title” setting in WHMCS’ admin panel, and discovered that it’s prone to a potential security flaw.

While cross-site scripts (XSS) aren’t very dangerous these days it seems, WHMCS does not sanitize it’s input properly, and thus will allow any data to be entered.  For example, if you put in <iframe src=”Http://www.google.com/”></iframe>, then at the top of the main client portal, it will display Google’s home page in an iframe.

Similar to this, if a simple JavaScript redirect were to be used:


The client will be redirected to www.google.com. While PHP code does not seem to be directly injected, you can easily trick the system into doing so by writing a simple PHP script with a header for an image (i.e.: header(‘Content-Type: image/jpeg’);) and put in your PHP code inside of there, and then just make the company title an img HTML tag.

I’m unsure what other versions of WHMCS are affected by this, but 4.4.2 is the most recent version.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: