7th Oct 2013 (10:44)
xxxxx || Müşteri
Hi,

One of our customers try to reset admin password. Is there any security open or bug to reset pasword by someone else ?

-------------

Client ID: 1840 - 1:xxx:xxxx@xxxxx.com:56d451d40fxxxxx2f49a3b49811c, 6:xxx:xxxx@xxxxx.com:adad59xxxxx8904325423b728, 19:xxx:xxxx@xxxxx.com:d0c35ecea08a8165xxx0438a6, 20:xxx:xxxx@xxxxx.com:adfa51cexxxx21e88 timson has requested to change his/her details as indicated below:

Address 2: 'ero' to 'AES_ENCRYPT(1,1), firstname=((SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,pass word SEPARATOR 0x2c20) FROM tbladmins))'
Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

---------------

Client ID: 1840 - jack timson has requested to change his/her details as indicated below:

City: 'tokyo' to 'AES_ENCRYPT(1,1), firstname=((SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,pass word SEPARATOR 0x2c20) FROM tbladmins))'
Default Payment Method: '' to ''

If you are unhappy with any of the changes, you need to login and revert them - this is the only record of the old details.

-------------

Regards.


----------------

Biz yazdık bu yazıyı onlarda bize ne yazmış bakalım ticket tarihine dikkat edin


--------------------------------

Cevap bu bu ticketten 2 3 gün sonra ardı arkası kesilmeyen güncelelemeler çıktı her güncellemeden sonra bir sorun tekrar yazdık gene güncelleme ama allahı var anında cevap veriyorlar



7th Oct 2013 (14:27)
Lawrence || Yetkili
Hi hakan,

Based on the log entry you've provided, the attacker has only performed a SELECT statement. This particular statement exposes the administrator password hashes. These password hashes, in themselves, are not sufficient to allow the attacker to authenticate into your admin area. The attacker must have the plain text version of the original password (and therefore must find the text which equates to the same hash value as your password). These password hashes, in themselves, are not sufficient to allow the attacker to authenticate into your admin area.

If the attacker is able to extract the true admin user password value, they would then need to also know the exact location of the admin login page as well as have access to load it. As described in our recommended further security steps, WHMCS provides an extra layer of protection to help mitigate the unauthorized access into the administrative area by allowing a custom admin folder path. We also recommend restricting IP access to that folder with an htaccess file.

For more info please see our most recent blog post at <http://blog.whmcs.com/> http://blog.whmcs.com/

If you require further assistance, please don't hesitate to let us know.

Regards,

Lawrence
Customer Support