HostBill – Add API Access (Admin) ACL Failure (R911-0104)

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0104
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to add API access to their IP address thus giving them full access to HostBill. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that an admin can elevate their privileges due to the ACL failure.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.