Thread: WHMCS Billing system database compromised
View Single Post
Old 05-21-2012, 08:31 PM  
baddog
So Fucking Banned
 
Industry Role:
Join Date: Apr 2001
Location: the beach, SoCal
Posts: 107,089
Quote:
Originally Posted by raymor View Post
baddog, props for full disclosure.




Or an a firewalled INTRANET machine with a trap door. Baddog, we may be able to assist your people with setting this up a in way that is both secure and convenient to use. One major trick is to FEDERATE the database to the CC module, except for the CC table. In that way, the billing module sees the whole database and the support module sees everything but the CC table. That is, the internal server can see the part of the database that's on the web server, but the public web server can't see the sensitive data, it's a one way door.

Your brief post also indicated at least one other specific vulnerability, with a specific fix that should be done. I won't post details here.

Sure there was a social engineering component, and there were a couple of architecture problems that turned that attack into something much more serious than it should have been. ONLY tickets should have been exposed by a successful attack, not login passwords, CC info, etc. You don't need to, and aren't supposed to by PCI, store ANY track information on a public web server.
Thanks, I wish I owned WHMCS, but alas I do not. Was just passing along info we just received. Figured there were others here than may have missed it. We are changing our passwords just to be sure.

You would probably be a good one to ask, what do they mean that it was done via social engineering?
baddog is offline   Share thread on Digg Share thread on Twitter Share thread on Reddit Share thread on Facebook Reply With Quote