HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability

HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability

HostBill is one of the widely used hosting billing and support automation system.

WHMCS Complete Billing and Support

Vulnerability Description:

Due to both a CSRF and XSS vulnerability present within the Email Templates configuration page, it is possible for a malicious user to hijack staff accounts with minimal effort.

For example, the malicious user could submit a trouble ticket asking the staff member to check his website. Once the staff member views the website, the malicious CSRF and XSS code will be executed against HostBill resulting in the session information being sent to the malicious user thus allowing unauthorized access to the staff account within HostBill.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the staff account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-02-24.

Fixed Version:

This vulnerability was patched in HostBill 2014-03-03.

If you are using previous version, it is highly recommended that you upgrade to HostBill 2014-03-03 as soon as possible. This vulnerability was discovered by Rack911 – a leading server management and security company.

Posted in Security.

Leave a Reply

Your email address will not be published. Required fields are marked *