Lagom WHMCS Template Prototype Pollution Vulnerability

A prototype pollution vulnerability has been identified in the Lagom WHMCS Template, specifically in versions up to 2.3.7. This vulnerability arises from an outdated version of the DataTables library (prior to 1.10.23) that the template bundles. The issue allows remote attackers to manipulate the Object.prototype of JavaScript objects by exploiting an exposed internal function, leading to the injection of properties or methods that can disrupt the application's behavior. Such exploitation could cause cross-site scripting (XSS), validation bypass, denial of service, and other unexpected issues.

Impact

Exploitation of this vulnerability allows for arbitrary modification of the Object.prototype, with injected properties affecting all objects in the application. This could lead to cross-site scripting (XSS) by manipulating the toString() method, bypassing validation through regular expression method pollution, causing denial-of-service by disrupting application logic, and potentially elevating privileges or compromising administrative functions in WHMCS installations.

Reproduction

To reproduce this vulnerability, upload the Lagom WHMCS Template version 2.3.7 to a server. Ensure that the template is active and accessible. Then, open the website in a browser and access the Developer Tools console. Paste the proof-of-concept script available in the GitHub repository 'lagom-prototype-pollution-poc' into the console and execute it. The script will attempt to pollute the Object.prototype and demonstrate the effects, such as triggering an alert if the XSS vector is successfully exploited.

Remediation

Users are advised to update the DataTables library to version 1.10.23 or later. If an immediate update is not possible, a temporary workaround involves patching the vulnerable function to block prototype pollution attempts.