WHMCS has gone from simply being unhelpful to being in denial.  This, unfortunately, is typical for companies today.  I have been digging into this problem since it first cropped up as i noted in my previous post.  Now WHMCS has gone from telling me it is on my end to saying they want me to take this to their bug program….BUUUUUT…there is some significant issues with this IMO.  here is what originally got thrown that started this whole thing:

403 Forbidden

A potentially unsafe operation has been detected in your request to this site, and has been blocked by Wordfence.

If you are an administrator and you are certain this is a false positive, you can automatically whitelist this request and repeat the same action.

 

So let’s say you want to report via their bounty program, what do you need to do?  Look here at a site called bugcrowd.  In order to be eligible for a reward you must do the following(taken right from the linked site):

The target for this bounty is an all-in-one client management, billing & support solution intended primarily for web hosts, but also used by other types of online businesses.

Targets

The application scope for this test is:
– The WHMCS software application.
– Must be downloaded and properly installed on your own hosting environment.
– Proper installation includes performing the Further Security Steps (http://docs.whmcs.com/Further_Security_Steps).

The WHMCS installation package includes a number of addons – Project Management Addon, Licensing Addon, Configurable Package Addon and Mobile Edition. This covers all PHP code included with the download of WHMCS.

Testing licenses are made available free of charge to BugCrowd security researchers. Keys issued for the purposes of security research and development are valid for a period of 90 days at a time, and must be installed either in a localhost environment or behind a password protected directory – never publicly accessible to the Internet.

To obtain a license, please email support@bugcrowd.com with the string “WHMCS installation code” in the email.

To be considered, submissions must work against an install that has had the Further Security Steps applied at installation. Details can be found here: http://docs.whmcs.com/Further_Security_Steps

The following are specifically excluded from scope and should not be tested:
– Any hosted server at *.whmcs.com – Testing against live production instances is STRICTLY forbidden. Testing against systems hosted by WHMCS or their customers will result in a disqualification of your submission.
– The WHMCS iPhone app
– The WHMCS Android app
– The WHMCS Windows Mobile app

The following finding types are specifically excluded from the bounty:
– General product bugs that do not have a security impact
– Descriptive error messages (e.g. Stack Traces, application or server errors).
– Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
– HTTP 404 codes/pages or other HTTP non-200 codes/pages.
– Banner disclosure on common/public services.
– Disclosure of known public files or directories, (e.g. robots.txt).
– Clickjacking and issues only exploitable through clickjacking.
– Self-XSS and issues exploitable only through Self-XSS.
– CSRF on forms that are available to anonymous users (e.g. the contact form).
– Logout Cross-Site Request Forgery (logout CSRF).
– Presence of application or web browser ‘autocomplete’ or ‘save password

You will qualify for a reward if you were the first person to alert the program owner to a previously unknown issue and the issue triggers a code or configuration change. Find more details about how rewards work in the Standard Disclosure Terms.

Qualifying submissions will be given monetary rewards and Bugcrowd Kudos points based on both the severity and impact of the issue being reported. Maximum payouts are as follows – all prices in USD:

Arbitrary Code Execution: $5,000
SQL Injection: $2,500
Authentication Bypass: $1,500
Cross-site request Forgery: $300
Cross-site Scripting: $250
If a valid bug requires admin access, the bounty amount is halved.

Reporters are expected to keep details of a vulnerability private both prior to and after payment of a reward.

I, of course, could care less about a reward.  I simply want this software fixed and working correctly so I can expand my business even faster.  Here is the last e-mail i sent to them.  WHMCS maintains they have adequate security and that this is a false positive.

Hi,
This is likely a false positive from the security software as we run a number of such scans from various vendors ourselves on each release.
However if you can provide the full results from your PCI scan service I can certainly pass that on for review.

This is not a PCI compliance issue.  This is a XSS problem that goes far beyond PCI compliance.  PCI compliance scans are stupidly easy to pass and yet you can be absolutely insecure behind it.

i have reminded them that the symptoms say otherwise:

I have two open tickets and i am basically being told it is either a problem on my end or a false positive when the circumstances say otherwise. I have cancelled the recurring payment on my paypal for this license. All I am asking for is not to get shuffled into some behind the wall bug bounty system and simply actually come look at the issue. Support wants not only to not help but seems to want to research this on their terms and ot with any real accountability. I need to talk with somebody higher up please that can actually address this issue and is willing to look through this. The fact that your software is triggering an XSS warning AND it causes my virtualmin software to croak when said alert is thrown means the software is most assuredly performing an XSS as the minimum. I do not need nor want to “research” this inside of WHMCS closed walled in garden..i want the software to work correctly. I am willing to pay for said product but only after it stops trying to go outside of it’s directories and interfering with other software.

Keep in mind the application firewall that is being triggered is my wordpress firewall..so WHMCS is not only stomping on virtualmin but also trying to stop on wordpress as well. This is a serious issue and needs to be addressed not hidden behind some highly restricted walled garden bug bounty program. I await your response.

 

here’s is the e-mail chain with the technicians name removed:

I am trying to get past the first page but when i hit save i get the following:

403 Forbidden

A potentially unsafe operation has been detected in your request to this site.

I am unable to find anything in the apache logs that is barfing. Any ideas? The system is Centos 7 using php 5.4.x.

click the setup tab and then general settings..put in anything and hit save..boom it’s dead.

Thank you for contacting WHMCS.

This is not an error generated by WHMCS, but rather, is a server-side issue.

A Web server may return a 403 Forbidden HTTP status code in response to a request from a client for a Web page or resource to indicate that the server refuses to allow the requested action. In other words, the server can be reached, but the server declined to allow the requested access.

A typical request that may receive a 403 Forbidden response is a GET for a Web page, performed by a Web browser to retrieve the page for display to a user in a browser window. The Web server may return a 403 Forbidden status for other types of requests as well.

The Apache Web server returns 403 Forbidden in response to requests for URL paths that correspond to filesystem directories, when directory listings have been disabled in the server. Some administrators configure the mod_proxy extension to Apache to block such requests, and this will also return 403 Forbidden. Microsoft IIS responds in the same way when directory listings are denied in that server. In WebDAV, the 403 Forbidden response will be returned by the server if the client issued a PROPFIND request but did not also issue the required Depth header, or issued a Depth header of infinity.

There can be many reasons for such an error, including, but not limited to:

File/folder ownership.
File/folder permissions.
mod_proxy
mod_security

If you are uncertain of how to resolve this particular issue, you should contact your system administrator and/or Web host.

 

I also find it interesting that you are blaming my system for the error
code yet there is nothing in my Apache lost whatsoever referencing anything
to do with WHMCS. No directory for PHP CGI nothing there’s nothing in the
law that indicates an error or an access when that 403 gets thrown

ok now i know what is going on i just do not know why..when your product goes to save something on a couple of pages it tries to intrude into my virtualmin space and tht causes virtualmin to crash and apache throws the 403. NO log gets logged though. Seems like your software is acting like an xss carrier here and i would expect MY system to block this(i am the admin BTW). So it is now most assuredly your software misbehaving.(code causing XSS NOT posted here)

New ticket:

I closed that ticket because the support was of no help. IF you are interested in fixing what looks to be a serious XSS with your software let me know.

I did not dig into the specifics so there’s no code to release so i merely talked about my experience on my website. WHMCS looks like a good solution but if it is going to try to run outside of it’s own folder when that was NOT part of the setup I will have to wait a few months to try again.

Hi,
We welcome responsible disclosure of potential security issues via our bug bounty program. This allows reports to be verified and rewards to be paid.
I’d encourage you to supply the details via http://www.whmcs.com/security-bounty-program/ so they can be addressed appropriately.

If we can be of any more assistance, please don’t hesitate to get back in contact.

I am not interested in the bounty honestly I want the software to work. I
will put what I found in this ticket..also please reference the ticket I
mentioned:

You can read about my experience with WHMCS and support here:

https://etc-md.com/?p=4440

Hi,
This is likely a false positive from the security software as we run a number of such scans from various vendors ourselves on each release.
However if you can provide the full results from your PCI scan service I can certainly pass that on for review.

I have two open tickets and i am basically being told it is either a problem on my end or a false positive when the circumstances say otherwise. I have cancelled the recurring payment on my paypal for this license. All I am asking for is not to get shuffled into some behind the wall bug bounty system and simply actually come look at the issue. Support wants not only to not help but seems to want to research this on their terms and ot with any real accountability. I need to talk with somebody higher up please that can actually address this issue and is willing to look through this. The fact that your software is triggering an XSS warning AND it causes my virtualmin software to croak when said alert is thrown means the software is most assuredly performing an XSS as the minimum. I do not need nor want to “research” this inside of WHMCS closed walled in garden..i want the software to work correctly. I am willing to pay for said product but only after it stops trying to go outside of it’s directories and interfering with other software.

Keep in mind the application firewall that is being triggered is my wordpress firewall..so WHMCS is not only stomping on virtualmin but also trying to stop on wordpress as well. This is a serious issue and needs to be addressed not hidden behind some highly restricted walled garden bug bounty program. I await your response.

403 Forbidden

A potentially unsafe operation has been detected in your request to this site, and has been blocked by Wordfence.

If you are an administrator and you are certain this is a false positive, you can automatically whitelist this request and repeat the same action.

so a wordpress plugin designed to protect ONLY wordpress gets triggered by WHMCS..ANd in doing so causes a DOS inside of virtualmin? this means WHMCS is trying to run rampant in my webspace and that is NOT a good thing. Sounds like a classic XSS to me.

 

Let’s see how they respond.  Will WHMCS actually go into an actual troubleshooting mode here in a real world environment that shows an apparent severe coding error or will they continue to leave their head in the sand?

*corrected WHCMS to WHMCS*

Skip to content