HostBill – XSS Admin Hijack Security Vulnerability (R911-0099)

Type: XSS
Location: Remote
Impact: High
Product: HostBill
Website: http://www.hostbillapp.com
Vulnerable Version: 2013-12-11
Fixed Version: 2013-12-14
CVE: -
R911: 0099
Date: 2013-12-14
By: Rack911

Product Description:

Whether you resell hosting or lease colocation space – you need to bill your customers. HostBill platform’s core components are designed to help you acquire customer, automate your services and ensure that invoices are paid on time.

Vulnerability Description:

There is an XSS vulnerability present within HostBill that would allow a malicious user to obtain the admin session cookie which could then be used to hijack access to the panel.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the admin account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill v2013-12-11.

Fixed Version:

This vulnerability was patched in HostBill v2013-12-14.

Vendor Contact Timeline:

2013-12-13: Vendor contacted via email.
2013-12-14: Vendor confirms vulnerability.
2013-12-14: Vendor issues v2013-12-14 update.
2013-12-14: Rack911 issues security advisory.