HostBill – Submit Ticket (Hidden Department) Input Validation Failure (R911-0112)

Type: Input Validation
Location: Remote
Impact: Medium
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-14
Fixed Version: 2014-01-03
CVE: -
R911: 0112
Date: 2014-01-06
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

It is possible for a malicious user to submit trouble tickets to a hidden department and see the name of said department due to an input validation failure.

Impact:

We have deemed this vulnerability to be rated as MEDIUM due to the fact that internal department information can be disclosed.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-14. (Yes, that is the version!)

Fixed Version:

This vulnerability was patched in HostBill v2014-01-03.

Vendor Contact Timeline:

2013-12-30: Vendor contacted via email.
2013-12-30: Vendor confirms vulnerability.
2014-01-03: Vendor issues 2014-01-03 update.
2014-01-06: Rack911 issues security advisory.