Type: SQL Injection
Vulnerable Version: 4.6.7
Fixed Version: 4.6.8
ClientExec is a comprehensive and flexible web hosting billing solution that will help you manage and expand your existing base of hosting clients. ClientExec was conceived and built with small to mid-sized hosting companies in mind. ClientExec was built to enable business owners to effectively manage their hosting clients and web hosting billing using one convenient and powerful platform.
There is a possible SQL injection within the plugin / snapin system that could allow an attacker to perform malicious SQL queries within the database.
We have deemed this vulnerability to be rated as HIGH due to the fact that un-sanitized SQL queries can be performed.
This vulnerability was tested against ClientExec v4.6.7.
This vulnerability was patched in ClientExec v4.6.8.
Vendor Contact Timeline:
2013-11-15: Vendor contacted via email.
2013-11-15: Vendor confirms vulnerability.
2013-11-20: Vendor issues update.
2013-11-27: Rack911 issues security advisory.