Script from WHMCS to stop hack attempts

[zomex]

Hello,

Someone on webhostingtalk.com post a script which they got from WHMCS that stops people being able to open tickets with the exploit code.

Note: You must install the security patch below if you haven't already. This script in this post is not a replacement for the security patch:

http://blog.whmcs.com/?t=43462

The code I'll post below is simply to stop people being able to open tickets containing {php} or {/php} which will stop you having to delete multiple tickets each day.

PHP Code:

<?php
$checkvars = array('subject','message');
foreach ($checkvars AS $checkvar) if (strpos($_REQUEST[$checkvar],'{php}')!==false) die("We're sorry, but you cannot use \"{php}\" in a ticket submission. If you do have a legitimate issue, please press the back button in your browser and then change any instances of \"{php}\" to \"(php)\" so that your ticket may be submitted.  Keep in mind that neither {php} nor (php) will function.");
?>

Save this code in a PHP file of your choice. e.g ticketexploit.php and upload to:

whmcs/includes/hooks/

Jack

[tletourneau]

Thanks for posting this!

[freeman]

Quote:

Originally Posted by zomex

The code I'll post below is simply to stop people being able to open tickets containing {php} or {/php} which will stop you having to delete multiple tickets each day.

PHP Code:

<?php
$checkvars = array('subject','message');
foreach ($checkvars AS $checkvar) if (strpos($_REQUEST[$checkvar],'{php}')!==false) die("We're sorry, but you cannot use \"{php}\" in a ticket submission. If you do have a legitimate issue, please press the back button in your browser and then change any instances of \"{php}\" to \"(php)\" so that your ticket may be submitted.  Keep in mind that neither {php} nor (php) will function.");
?>

Save this code in a PHP file of your choice. e.g ticketexploit.php and upload to:

whmcs/includes/hooks/

Jack

or you can deny this with ModSec:

PHP Code:

SecRuleEngine On
SecRule ARGS_POST "{php}" "deny,log,auditlog" 


[naushad]

Thanks very much for this.

[zomex]

No problem, glad I could help.

[justMe]

Quote:

Originally Posted by zomex

PHP Code:

<?php
$checkvars = array('subject','message');
foreach ($checkvars AS $checkvar) if (strpos($_REQUEST[$checkvar],'{php}')!==false) die("We're sorry, but you cannot use \"{php}\" in a ticket submission. If you do have a legitimate issue, please press the back button in your browser and then change any instances of \"{php}\" to \"(php)\" so that your ticket may be submitted.  Keep in mind that neither {php} nor (php) will function.");
?>

Note, this code will not prevent a person submitting a ticket directly using an email client. (if you have email piping or similar set up)

Also note, this code will prevent editing/saving email templates from the whmcs admin area.

Below is a modification to get around the email template issue while still using the hook that Jack posted.

PHP Code:

    $file = pathinfo($_SERVER['SCRIPT_NAME']);
    $callingScript = $file['basename'];

    $checkvars = array('subject', 'message');
    foreach ($checkvars AS $checkvar) if ($callingScript != 'configemailtemplates.php' && strpos($_REQUEST[$checkvar], '{php}') !== false) die("We're sorry, but you cannot use \"{php}\" in a ticket submission. If you do have a legitimate issue, please press the back button in your browser and then change any instances of \"{php}\" to \"(php)\" so that your ticket may be submitted.  Keep in mind that neither {php} nor (php) will function.");
?> 


@freeman

Code:

SecRuleEngine On
SecRule ARGS_POST "{php}" "deny,log,auditlog"

Where is this code placed? .htaccess?

[zomex]

Quote:

Originally Posted by justMe

Note, this code will not prevent a person submitting a ticket directly using an email client. (if you have email piping or similar set up)

Also note, this code will prevent editing/saving email templates from the whmcs admin area.

Below is a modification to get around the email template issue while still using the hook that Jack posted.

PHP Code:

    $file = pathinfo($_SERVER['SCRIPT_NAME']);
    $callingScript = $file['basename'];

    $checkvars = array('subject', 'message');
    foreach ($checkvars AS $checkvar) if ($callingScript != 'configemailtemplates.php' && strpos($_REQUEST[$checkvar], '{php}') !== false) die("We're sorry, but you cannot use \"{php}\" in a ticket submission. If you do have a legitimate issue, please press the back button in your browser and then change any instances of \"{php}\" to \"(php)\" so that your ticket may be submitted.  Keep in mind that neither {php} nor (php) will function.");
?> 


Thanks for the updated hook