I am so surprised I never ran across this before until recently I had to reset my pass to get in. I submitted for pass reset and checked my mail expecting verification links and everything only to see my new password had already been generated.
So someone just has to know your email address and can do this. Even if they did not have access to your email they could sure troll the crap out of you with it. And it would be easily done as 99% of hosting companies has whmcs users with support@hostingcompany.com
To see if this could be done I was logged in with firefox and went on another browser and submitted pass reset and it logged me right out of firefox.
I know its important to lock up the admin folder view htaccess ip allow or password but this is plum silly as a default feature. Someone could simply troll the crap out of you like this. So I think whmcs guys should get on this, I will shoot them an email. Im sure this has been brought up before, surely....
Posted by Mark Muyskens, 06-24-2011, 02:49 AM
Same way as old school ModernBill....
It is what it is, don't really see it as a big issue though.
Posted by OpenInternet-Vince, 06-25-2011, 08:38 PM
Reported this 6 months ago. Apparently nobody thought it was an issue.
http://forum.whmcs.com/showthread.php?t=34312
Posted by jon-f, 06-25-2011, 10:21 PM
definitely an issue. Someone could dol this on your network and sniff your traffic. or if someone wanted to cause problems for a hosting company they could make some tool to automate this keeping people out of their whmcs. Its amazing that whmcs and some people here think its not an issue. I think it definitely is!
Posted by Techy, 06-25-2011, 10:30 PM
I agree that it should be more than just an "email" insert to reset the password.
Posted by jon-f, 06-27-2011, 12:44 PM
This can be exploited in a few different ways, Suppose I was a bad guy paid by a competitor to wreak havoc on another host. I would design some script to constantly request password resets so the admin or tech team couldnt get in. Sure this could be stopped by ip locking the admin folder with htaccess but most the time large hosting company has tech teams which has no access to the ftp or server the whmcs is on.
Second, suppose I was targeting someone, was on their network or whatever and I would request a pass reset, sniff the traffic, get the new pass, go in and dump the db, then have all client info.
Its an issue defintely. I have always advised people to lock down admin folder, to NEVER add root accounts to whmcs and to use the cpanel hash only for cpanel servers.
Anyway this pass reset thing IS a flaw, whether it will be fixed or not, lets see.
Posted by WHMCS-Matt, 06-27-2011, 01:07 PM
Hi Guys,
To respond to a few of the points raised here:
It wasn't reported to us. It was posted on the forums and got no replies. We probably never even saw the post as we don't have time to review every post that is made. However it is in no way a critical issue.
For this you would have to know the admin folder location, and part of our recommended installation instructions includes customising the admin folder name so if people have followed those steps, you wouldn't even know where to find that as a competitor. Add to that the fact you also need to know the individual admin users email address and that's yet another unknown variable. And like you say, admin folders are often IP restricted, or even the automated admin password reset process disabled entirely in the case of large scale WHMCS users.
And how would having a password reset link prevent this exactly? If you are accessing the users emails, you can just as easily get the password reset link via sniffing, visit the link, and then sniff the next email which would contain the new password.
This is not a back door. It alone has nothing to do with access, just the potential of resetting an admins pass without their authorization. Now it's been brought to our attention of course it's certainly something we can consider improving and adding an additional step to in future, but there's no immediate threat from it, and an extra step doesn't add that much in terms of real security.
Matt
Last edited by WHMCS-Matt; 06-27-2011 at 01:11 PM.
Posted by JulesR, 06-27-2011, 08:34 PM
With respect, whilst everyone should follow these "extra hardening" steps, to simply claim there's no issue if people do these is ignoring the point altogether.
It's very similar to saying "Javascript should perform all the verification/validation in an AJAX system", when you can just as easily validate via PHP or other receiving server side language, and *should* because it's good security practice. What if Javascript is disabled? Your form has no validation....
Very easily.
"You have requested to reset the password. To begin this process, please click here . If you DID NOT request this, please be aware that someone may be attempting to breach your account... etc etc here's a link to some security hardening steps on our Wiki, etc."
I agree it's not a back door or a serious compromise of security, however I do think it's something the developer(s) should've considered when building the system. Whilst it's unlikely anyone can compromise your system using this, they could certainly cause some serious annoyance if you haven't secured your installation.
Posted by bear, 06-27-2011, 11:07 PM
How is that done?
That same secret folder name is sent out with every cron email, so if someone was determined and savvy, they could find it.
Posted by WHMCS-John, 06-28-2011, 03:58 AM
Add the following line to your configuration.php file:
$disableadminforgottenpw = true;
Posted by WHMCS-Matt, 06-28-2011, 06:18 AM
With respect, I never said anything like that. And you are taking what I did say out of context. I was responding to the 2 specific ways jon-f said this could be taken advantage of, pointing out why it's not quite as straightforward as he was suggesting.
The question here was how does having a verification link prevent someone who has compromised your emails and so is viewing what's received from getting your new admin password. They can visit the confirmation link and monitor for the next email to come in just as easily as the new password being sent straight away so the proposed solution doesn't help with that.
So to summarise my original post:
1. To be able to request a password reset, you need to know both the admin folder location and the personal email address of the administrator you want to reset, and even then it's only emailing a new password to the registered address
2. It is not a back door and does not allow access to be gained. If your email was compromised then it possibly might, but if your email is compromised, an extra confirmation step wouldn't prevent that either
3. Of course, the lack of a confirmation step being brought to our attention is certainly something we can & will consider adding, but there's no immediate threat from it, and an extra step doesn't add that much in terms of real security
Posted by JulesR, 06-28-2011, 12:12 PM
No, I'm not taking anything out of context. You pretty much shrugged the issue off and then listed ways it could be prevented that are based on "third party" WHMCS hardening steps. That's all very well, but it doesn't address the core issue.
No, you seem to have misinterpreted the thread. The original post was regarding the ability for someone to cause grief or problems by constantly resetting the admin password for an account, because there are no further steps or authentication required.
Later on it was then mentioned that a compromised e-mail account would give them access to WHMCS, which goes without saying and isn't what I and others are referencing.
So to summarise from the original post:
On a *default* WHMCS installation, and no additional hardening steps taken, WHMCS allows you to reset the password for any administrator account if you are aware of the e-mail address used for that account.
The fix: Send a password reset e-mail to the address containing a unique URL that begins the process.
Posted by Dustin B Cisneros, 06-29-2011, 06:05 PM
Or simply change the /admin path to a custom one.
Posted by JulesR, 06-29-2011, 06:06 PM
Or fix the obvious logic flaw in the software we pay for, so we don't have to try security by obscurity.
Posted by Treznax, 06-29-2011, 06:58 PM
They stated the can & will consider changing the pass changing system so just change /admin for now and wait for a fix in the future?
Posted by JulesR, 06-29-2011, 07:00 PM
Obviously, that goes without saying.
Posted by WHMCS-Matt, 06-29-2011, 07:23 PM
Absolutely false. Instead what I actually said was that this was the first time it had been raised & actually brought to our attention as an issue and that while it's not in any way a security risk, we will of course consider a change in a future update.
Actually no, as I tried to explain before, I was replying to the specific posts quoted - which were from post 7 - not the original post topic. It's obvious how what you posted would apply to the original, but that wasn't the question being discussed.
There is no security risk from resetting the password alone. If there was we would be releasing an immediate update.
Posted by jon-f, 06-29-2011, 07:37 PM
Agree 100%
Its like someone saying here is your software, you have to do modifications out of the box (ex: hiding admin folder) and a few other things but there is no problem.
I like WHMCS and always have, recommend it to anyone but I wish things like this which would be a simple feature addition and that all other cms/billing software already have shouldnt be that big of an issue or shouldnt be blowed off so easily
EDIT I do see that WHMCS is considering fixing in new issues, i know its not a big problem but still this day in age, shouldnt be that complex of a code addition.
Last edited by jon-f; 06-29-2011 at 07:42 PM.
Posted by Scott.Mc, 06-29-2011, 08:25 PM
Wow, overboard or what. If you are sniffing traffic what does this have to do with this issue at all, theres much more serious issues going on.
What alot of fluff for a relatively minor issue. I don't think anyone will dispute that it should be fixed but going on like it's a serious security issue is simply wrong.
I also find it disturbing that you made a post on WHT instead of contacting them first.
Posted by OpenInternet-Vince, 06-30-2011, 11:16 AM
Changing the path is not a solution when the foundation is broken.
Posted by OpenInternet-Vince, 06-30-2011, 11:23 AM
Correct me if I'm wrong on this one.
Your software doesn't have a brute force protection/detection when it comes to password reset right ?
So doesn't that mean anybody with a bot could potentially reset all of our clients, admin passwords without any limitations?
Posted by Stanlee, 06-30-2011, 11:41 AM
Fix: Don't forget your admin password.
Posted by forasse, 06-30-2011, 11:46 AM
Read the entire thread before you post.
Posted by WHMCS-John, 06-30-2011, 12:17 PM
It doesn't have brute force protection when it comes to password resets for admins, but the client side has a reset confirmation step built in already.
For a bot to perform an admin reset, it would have to guess the admin email address for which there are so many combinations it would be unlikely.
Last edited by WHMCS-John; 06-30-2011 at 12:31 PM.
Posted by JulesR, 06-30-2011, 12:53 PM
Hardly. I'm willing to bet a lot of providers either have firstname@domain.tld or use support@domain.tld.
Posted by jon-f, 06-30-2011, 01:05 PM
First off I never said there was a serious security risk, just a hypothetical situation in which the password could be compromised, My entire point is the annoyance this could cause and the way you could be locked out of WHMCS so easily.
Posted by OpenInternet-Vince, 06-30-2011, 01:09 PM
