WHMCS – Admin Application Links CSRF Vulnerability
WHMCS is an all-in-one client management, billing & support solution for online businesses. Handling everything from signup to termination, WHMCS is a powerful business automation tool that puts you firmly in control.
Due to a CSRF vulnerability within the “Application Links” feature in the admin panel of WHMCS, it is possible for a malicious user to make unauthorized changes. For example, it would be possible to change the WHMCS Single Sign-On links within cPanel to display any text they wanted which could cause alarm for unsuspecting hosting users.
Vendor Contact Timeline:
2015-12-10: Vendor contacted via “Bug Bounty” program.
2016-01-20: Vendor confirms vulnerability.
2016-01-26: Vendor issues update.
2016-01-27: RACK911 Labs issues security advisory.
1110 Palms Airport Drive, Suite 110
Las Vegas, NV 89119