hi, there are at least 5 confirmed exploit types which consist of atleast 12 confirmed exploits which can be performed to destroy the hosting servers provider business in a matter of moments. any one can take control of any machine which uses whmphp without paying to be a client on that machine or signing up for a free trial hosting account. if you value your alpha or master reseller's server security you should consider switching to another provider. thanks, kevin
hi, i was asked to prove part of my legitamacy of these claims on wht but have been slapped with an infraction here is the least effecting security hole and does not directly allow you to affect anyone with but proves that i know what im talking about. This is what your database will look like if you set your password to what is in the left column under "pass" Pass Hash...LOLZ ---- ----------- a: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-TW6ZkWj5mQzRFbatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU A: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-jYygnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU b: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-jYygnVj5mQyRVbGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU c: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-jY6ZkVSpHbIplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU d: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-zVUZkWj5mQzRFbatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU e: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-TW6ZkWj5mQzRFbatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU f: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-jYygnVj5mQyRVbGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU g: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-jY6ZkVSpHbIplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU h: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRT1EbKR-TW6ZkWltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU i: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRT1EbKR-jYygnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU j: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRTJmVKJ-nVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU k: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRT1EbKR-zVUZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU l: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbT1EbKR-TW6ZkWltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU m: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbT1EbKR-jYygnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU n: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbTJmVKJ-nVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU o: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbT1EbKR-zVUZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU p: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbKR-TW6ZkWltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU q: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbKR-jYygnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU r: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcOJmVKJ-nVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU s: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbKR-zVUZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU t: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRTJmVKJ-nVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU u: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRT1EbKR-zVVpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU v: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRT1EbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU w: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRT1EbKR-jY6ZkVSp3a5plRktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU x: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRTJmVKJ-nVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU y: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRT1EbKR-zVVpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU z: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRT1EbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU Pass Hash...LOLZ ---- ----------- B: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLJVbKJ-nVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU C: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-zVUZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU D: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-TW6ZkWltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU E: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-jYygnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU F: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLJVbKJ-nVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU G: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-zVUZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU H: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbJB-jWEZkWltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU I: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbJB-zYHhnVltmVGplVatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU J: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcOJmVKh-mVth3VldlTJp1VGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU K: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbJB-zVqZkWltmVGplVktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU L: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRLJVbKJ-nVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU M: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRLZVbKR-zVVpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU N: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRLZVbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU O: =AlVsdUWuR2TXZkW0oleKZ-lVzgGdWFjRLZVbKR-jY6ZkVSp3a5plRktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU P: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLJVbKJ-nVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU Q: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-zVVpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU R: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU S: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-jY6ZkVSp3a5plRktmUXZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU T: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLJVbKJ-nVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU U: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-zVVpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU V: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU W: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSXxGbLZVbKR-TWwoVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU X: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcOJmVKh-mVqZ0VSp3a5plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU Y: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbJB-zVrpVYTVVW3plRatkUHZUe-XxmWX10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU Z: =AlVsdUWuR2TXZkW0oleKZ-VVzgGSX5GcO1EbJB-jWFpVYTdUU6p1RGtWYxoUT-XxmWT10VzhnVYp0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU aa: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-TW6ZkWj5mQXllMGtWYxoUe-TpmRXZlM3hnVup0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU ab: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKR-TW6ZkWj5mQXllMGFmVWlFM-XtmWO10VzhnVup0diZkUhd1aap2VG9GeZVFcvJGbahkUsZVU az: Blah Blah Blah zz: Blah Blah Blah aab: =AlVsdUWuR2TXZkW0oleKZ-VYWBncWFjRLZVbKRTW6ZkWj5mQXllMGFmVWFFMXtmWOV2R0NnVwg2bNFjVhd1aap2VG9GeZVFcvJGbahkUsZVU zzz: Blah Blah Blah This is where it gets REALLY interesting and decipherable aaaa: VZlWzV1aoFmYHpkdjZkVaV-2R5ckVyg2UhFjTXdlaGNVVwAXdW5mT00EbWhlUtBHVlV1b4l1V0dUTsx2MhJDdsZ1MoRnVup0SW1mSUJ-laGd1YuJ0VZZlWLVGbvBzVrp-FWUJjU1dVVkNnVsFUP aaab: VZlWzV1aoFmYHpkdjZkVaV-2R5ckVyg2UhFjTXdlaGNVVwAXdW5mT00EbWhlUtBHVlV1b4l1V0dUTsx2MhJDdsZ1MoRnVup0SW1mSUJ-2R4h1UHdmeWZlWLVGbvBzVrp-FWUJjU1dVVkNnVsFUP Notes ------ Clearly it is not the intention to have a hash function which repeats in this fashion, a clear and concise manor. this means its encoded and not hashed. We will provide only the first rule for decoding the encoded password at this point but have a full decoder script ready to unleash at any time: Proof and Verification ---------------------- The first set of characters can be used to deduce the password length within plus or minus three characters. The characters start at the "=" char for the first three and go to the first - character: after the first three chars the following rules apply for estimating password length Char 1 to char 3 passwords all have the same starting string and ending strings Char 4 to char 6 passwords all have the same starting string and ending strings Char 7 to char 9 passwords all have the same starting string and ending strings and so forth proof it is not hashed but encoded ---------------------------------- the string grows based on the amount of characters being encoded thanks, kevin
You are right - if this is the way the passes are stored, it's not a hashed value. Are there exploits in the wild, 0-day ? How big is the vulnerability impact, how many are the possible victims, and how fast it can be patched / recovered ? Asking out of interest in security, I'm not into hosting reselling myself, and because couldn't find yet anything from the security sources I checked ( not following real time list for years, got bored ). Would be good if the vulnerability is patched fast. Like now!
hi, yes. they are stored that way, usernames and password hashes. i am waiting to hear back from whmphp to see if they wish to buy our knowledge for the time spent unconvering all of them. the victim count is the total number of hosted accounts on every machine which can be used to put master resellers on via whmphp and all clients. total number of machines is equal to the number of server licenses they have sold. nothing damaging has been released yet so it is still in before christ mode. how fast can it be patched.....that depends on the intelligence level of the person who wrote the script. im shocked i gave him this much credit for this long without doing any investigation. kevin
ROOT VULNERABLE wow. i just found this. We tested it and it worked. this is a root major root vulnerability. This is crazy, you can send mass emails, spam, delete accounts on whmphp hosting. it asks for you to login but it actually does change the password if you want to read more download this here Download here
No way is this still something that is an issue with whmphp 5? The new system I beleive has been wholly rewritten?
whmphp v5 is secure and it works great. It is now integrated completely to whm, not subdomain anymore