Atomicorp

There a vulnerability in WHMCS 5.2.7 as described at in this blog post at the URL below:

https://atomicorp.com/company/blogs/325 ... ction.html

If you are using Atomic Secured Linux (ASL) or our real time modsecurity rules, and you have a standard WHMCS installation you are already protected!

We're very proud that our focus on proactive security means all our customers were already protected from this vulnerability before it was discovered, even by the bad guys.

Hello,

i had install mod_security on my whm/cpanel with http://configserver.com/cp/cmc.html to control my rules,

do i only need to upload all the files of modsec-201310050449.tar.gz to my server's rule folder ?


thank you

Thank you for the question. In this case you dont need the latest rules, this attack uses a SQL injection which our rules already protect you against. So as long as you're using a version of our rules put out sometime this year, you are already protected.

Hello,

because whmcs's version will break my whmcs addon(awaiting fixed's bug),if i had your rules to protect my whmcs,does it mean i do not need to update to the new version and it will still be safe ?


thank you

because whmcs's version will break my whmcs addon(awaiting fixed's bug),if i had your rules to protect my whmcs,does it mean i do not need to update to the new version and it will still be safe ?

For this vulnerability, provided WHMCS is behind a modsecurity install or ASL WAF and you are running our rules, yes you would be safe.

Hello,

1. thank you for your reply,
i just need to confirm that even i use still his older version whmcs and do not apply the new whmcs fixed version 5.1.10 or 5.2.8,
when people want to try my whmcs and attack my whmcs with the security bug,
it is still fine because your mod security rules will protect my whmcs ?
if yes,can you tell me the rule id for this bug ?

2. is any way that i can test if my mod security with your rules is working to defend my whmcs from attacking well ?


thank you

Thank you for the questions.

1. thank you for your reply,
i just need to confirm that even i use still his older version whmcs and do not apply the new whmcs fixed version 5.1.10 or 5.2.8,
when people want to try my whmcs and attack my whmcs with the security bug,
it is still fine because your mod security rules will protect my whmcs ?

Yes, our rules protect systems with a vulnerable version of WHMCS from this vulnerability, if they are configured as stated in the first post:

If you are using ASL and your WHMCS installation is either being served by Apache, or if running on a different web server and is configured to be protected by the WAF you are already protected from this vulnerability. (And you were protected a long time ago)

The real time rules will also stop this, but if you are running WHMCS on a different web server or thru a control pannel you need to setup a proxy for that traffic.

if yes,can you tell me the rule id for this bug ?

Its a SQL injection attack, as for the rule id that depends on what version of the rules you are using, and if you use our real time rules or just the more basic delayed rules. (and of course if you have disabled anything). With the older basic delayed rules 340157 should stop this attack (that depends on what version you are using of course, older versions may not). With the real time rules and their advanced SQLi protection rules they can also stop this attack, plus variations of this attack, including complex evasion attempts (the basic delayed rules do not include the advanced SQLi protection rules, so they can not protect against all variants of this attack, although they do protect against the current exploit).

In the real time rules, you will find rule 340157 stops the current variant, and in the advanced real time rules rules 341245, 360148, and 360147 stop variants and evasive versions of this attack. And in the real time rules we also have a virtual patch for this, just in case someone disabled SQLi protection on their system (id 331357), which blocks the specific vulnerability in WHMCS.

2. is any way that i can test if my mod security with your rules is working to defend my whmcs from attacking well ?

Yes, use the exploit at the link in the first post. Heres the link again:

http://localhost.re/p/whmcs-527-vulnerability

Hello,

1. i sign up with 30 days for trail now,i would upgrade to yearly package days later.


2. i use whm/cpanel server with Mod Security/ConfigServer ModSecurity Control - cmc to control my server,
my config at Mod Security is following:

SecRequestBodyAccess On
SecAuditLogType Concurrent
SecResponseBodyAccess On
SecResponseBodyMimeType (null) text/html text/plain text/xml
SecResponseBodyLimit 2621440
SecAuditLogRelevantStatus "^(?:5|4(?!04))"
SecServerSignature Apache
SecUploadDir /var/asl/data/suspicious
SecUploadKeepFiles Off
SecAuditLogParts ABIFHZ
SecArgumentSeparator "&"
SecCookieFormat 0
SecRequestBodyInMemoryLimit 131072
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
SecResponseBodyLimitAction ProcessPartial

Include /usr/local/apache/conf/modsec_rules/10_asl_antimalware.conf
Include /usr/local/apache/conf/modsec_rules/10_asl_rules.conf
Include /usr/local/apache/conf/modsec_rules/20_asl_useragents.conf
Include /usr/local/apache/conf/modsec_rules/30_asl_antispam.conf
Include /usr/local/apache/conf/modsec_rules/50_asl_rootkits.conf
Include /usr/local/apache/conf/modsec_rules/60_asl_recons.conf
Include /usr/local/apache/conf/modsec_rules/99_asl_jitp.conf
Include /usr/local/apache/conf/modsec_rules/99_zzz_custom.conf
Include /usr/local/apache/conf/modsec2.whitelist.conf



i can find 340157 at 10_asl_rules.conf,doe it mean i also need to include the 11_asl_adv_rules.conf for my Mod Security config at whm ?
or could you recommend i need to include any other rules?


3. if i follow the link http://localhost.re/p/whmcs-527-vulnerability to try my whmcs,if my whmcs be breaked,will my data be removed or other people can access my whmcs directly ?



thank you for help alot

Yes, you need to add that rule file, 11_asl_adv_rules.conf, to your configuration.