WHCMS zer0 day allows malicious user to inject SQL commands

10/07/2013 05:36:00 AM TechNews No comments

The popular WHCMS, a client management and billing support solution for web hosting providers has released an emergency patch for its software after a SQL injection vulnerability has been found Thursday.

The vulnerability that was posted publicly on a blog by “localhost” on October 3 allows malicious user to inject SQL commands.

By that zer0-day, any malicious minded user will be able to get information of existing WHCMS accounts. Hashed passwords can be obtain leading to compromised admin account.

What only needed is a valid existing user of the software WHCMS.

“The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information,” blogpost of WHCMS reads.

All versions of WHCMS softwares are affected but only versions 5.1 and 5.2 are provided patch as part of its accordingly “Long Term Support Policy.”

Source : PCworld | WHcms

WHCMS zer0 day allows malicious user to inject SQL commands

No comments :

Bookmark this Page

Chat Room

GOOGLE ANALYTICS

Popular Posts

Blog Archive

Labels

Labels