14 DAY TRIAL // On May 29, WHMCS released a security patch to address an SQL Injection vulnerability that affected the billing and support software. However, before the company learned of the security hole, cybercriminals were selling the exploit for $6,000 (4,560 EUR) on underground markets.
The WHMCS incident doesn’t seem to be over just yet. Shortly after UGNazi hackers breached its systems, the company became the target of a distributed denial-of-service attack which forced its website offline.
Security journalist Brian Krebs, the one who found the blind SQL injection advertised on an unnamed forum, reveals that the seller was offering it for a maximum of three buyers.
“No patches for it until now, vulnerability is a full blind SQL injection discovered by me. Wrote an exploit for it that works from command line which extracts admin hash from [database]. No need to decode md5 hash, can login directly with faking cookies,” wrote the jolly salesmen.
Krebs makes an interesting point as to whether this zero-day could have been somehow leveraged by UGNazi to gain access to WHMCS systems.
Even though Matt Pugh, the developer and founder of WHMCS, has stated that the attackers relied on social engineering to gain access to the data, there is a slight chance that the hackers have also used the SQL Injection flaw, especially since the company is probably utilizing its own product.
Pugh didn’t provide many details at the time when the security update was released, and he didn’t make any connection to the incident.
“Within the past few hours, an ethical programmer disclosed to us details of an SQL Injection Vulnerability present in current WHMCS releases,” he explained in an email sent to customers.
“The potential of this is lessened if you have followed the further security steps, but not entirely avoided. And so we are releasing an immediate patch before the details become widely known.”
Update. We have contacted one of the UGNazi hackers and they state that the SQL Injection vulnerability is not the one they leveraged to gain access to WHMCS systems.