Type: Input Validation
Vulnerable Version: 2013-12-14
Fixed Version: 2014-01-03
Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.
It is possible for a malicious user to submit trouble tickets to a hidden department and see the name of said department due to an input validation failure.
We have deemed this vulnerability to be rated as MEDIUM due to the fact that internal department information can be disclosed.
This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)
This vulnerability was patched in HostBill v2014-01-03.
Vendor Contact Timeline:
2013-12-30: Vendor contacted via email.
2013-12-30: Vendor confirms vulnerability.
2014-01-03: Vendor issues 2014-01-03 update.
2014-01-06: Rack911 issues security advisory.