HostBill – Auto Upgrade (Admin) ACL Failure (R911-0106)

Type: ACL Failure
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2013-12-20
CVE: -
R911: 0106
Date: 2013-12-20
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a restricted admin to upgrade HostBill due to an ACL failure if auto upgrades are NOT enabled. (A restricted admin can be someone only assigned to Billing or Support tasks.)

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that HostBill can be upgraded by unauthorized admins.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2013-12-20.

Vendor Contact Timeline:

2013-12-14: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-20: Vendor issues 2013-12-20 update.
2013-12-20: Rack911 issues security advisory.