HostBill – Staff Tickets Blind SQL Injection Vulnerability (R911-0130)

Type: SQL Injecton
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2014-02-22
Fixed Version: 2014-02-24
CVE: -
R911: 0130
Date: 2014-02-25
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for an authorized staff member to perform a blind SQL injection against HostBill to obtain sensitive information and/or escalate their privileges to a higher authority.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that authorized staff access is required. It is not possible for an unprivileged user to exploit this vulnerability.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-02-22. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill 2014-02-24.

Vendor Contact Timeline:

2014-02-24: Vendor contacted via email.
2014-02-24: Vendor confirms vulnerability.
2014-02-24: Vendor issues 2014-02-24 update.
2014-02-25: Rack911 issues security advisory.