Special thanks to Dustin Cisneros, CEO of RackNerd (who goes by @dustinc) from RackNerd for sharing this tip with the LEB/LET community, considering many community providers here utilize WHMCS. The link to the LowEndTalk post by Dustin from RackNerd is here. He also shares a MySQL command (mentioned below) to check if you were most likely impacted by this vulnerability before.

If you’re not a provider or WHMCS user, why not check out RackNerd’s latest offers, which include VPS systems starting at only $11.38/YEAR?

On June 20, 2023, WHMCS silently published a security update on their blog without any sort of email announcement or social media announcement. Nothing on Facebook, nothing on Twitter, nothing on LinkedIn… nada. Almost like everyone will be actively checking and refreshing the WHMCS blog on a daily basis, am I right? /s

WHMCS words this as “An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.” Yikes.

Okay. So in other words, it allowed bad actors to mark invoices that weren’t actually paid, as paid. This meant providers that relied heavily on automation and did not audit their transactions could have potentially lost some revenue.

And of course, it was followed by corporate speak by WHMCS, classic. “Further details about these issues will not be disclosed at this time.”

In short… update your WHMCS to the latest version, or follow the patch set instructions mentioned at https://blog.whmcs.com/133735/security-update-2023-06-20

Now if you’re looking for a WHMCS alternative, Clientexec is worth considering. On that note, RackNerd provides free Clientexec licenses for all active RackNerd clients. Pretty neat.

Original Post/Details by Dustin at RackNerd

For providers here using WHMCS, recently on June 20, 2023, WHMCS silently published a security update on their blog without any sort of email announcement or social media announcement. This affects all WHMCS versions prior to that date.

According to WHMCS, the security update is described as: “An important payment assertion issue and an XSS security issue have been identified that affect all versions of WHMCS.”

While not exactly client impacting, this could have resulted in lost revenue for providers, as it essentially allows bad actors to falsely mark invoices as paid, when it in fact was not.

To patch yourself from this vulnerability going forward, update your WHMCS to the latest version, or follow the patch set instructions mentioned at https://blog.whmcs.com/133735/security-update-2023-06-20

How to Check If You Were Previously Affected

The best way to check is by comparing payments made to you (within your merchant accounts) against the paid invoices within the WHMCS system.

Our team at RackNerd found that this vulnerability usually involves one invoice ID being factually paid and another unpaid invoice ID sharing the same transaction ID as the paid invoice. Typically, if there’s malicious intent, a smaller invoice will be actually paid, with a larger invoice falsely marked as paid using the same transaction ID.

ATTN Providers:

To assist you further (which should not be a substitute for manually auditing, but still helps point you towards the right direction), our development folks at RackNerd have created an SQL query that you can run within your WHMCS database. This will help identify any duplicate transaction IDs that may exist within your WHMCS database. The query below is read-only and does not write any changes to your database, but we still recommend taking a backup before running any MySQL operations.

SELECT a.* FROM tblaccounts a JOIN ( SELECT transid FROM tblaccounts WHERE transid IS NOT NULL AND transid <> ” AND description NOT LIKE ‘%Refund%’ GROUP BY transid HAVING COUNT(transid) > 1 ) b ON a.transid = b.transid WHERE a.transid IS NOT NULL AND a.transid <> ” AND a.description NOT LIKE ‘%Refund%’;

After running the above query, sort by date (newest to oldest) and examine the “invoiceid” and “transid” columns. If you notice a “transid” being the same on different invoice IDs, you might want to manually check to see if that was intentional.

While WHMCS did not release specifics regarding the vulnerability as they mentioned “Further details about these issues will not be disclosed at this time”, our observations suggest that it mainly affects providers using WHMCS in conjunction with Stripe.

• Author
• Recent Posts

raindog308

Dread Lord of LowEnd Content at LowEndBox

I'm raindog308, techno polymath and long-time LowEndTalk community Administrator. My technical interests include all things Unix, perl, python, golang, shell scripting, vintage operating systems such as MVS, and relational database systems such as Oracle, PostgreSQL, and MySQL.

I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.

I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308

Latest posts by raindog308 (see all)

• Save Big on Yearly VPS Offers from Hudson Valley Host! - April 29, 2024
• Global Phishing Attacks up 58% Year-Over-Year, Powered by Generative AI - April 29, 2024
• Happy Birthday, HostHatch!Celebrating 13 Years in Business with Awesome Deals! - April 28, 2024