HostBill – Estimate (Client) Input Validation Failure (R911-0113)

Type: Input Validation
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2014-01-03
CVE: -
R911: 0113
Date: 2014-01-06
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a malicious user to brute force estimates belonging to any client due to input validation failures which could result in sensitive information being obtained.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that sensitive information could be obtained.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2014-01-03.

Vendor Contact Timeline:

2013-12-30: Vendor contacted via email.
2013-12-30: Vendor confirms vulnerability.
2014-01-03: Vendor issues 2014-01-03 update.
2014-01-06: Rack911 issues security advisory.