HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability
HostBill is one of the widely used hosting billing and support automation system.
Due to both a CSRF and XSS vulnerability present within the Email Templates configuration page, it is possible for a malicious user to hijack staff accounts with minimal effort.
For example, the malicious user could submit a trouble ticket asking the staff member to check his website. Once the staff member views the website, the malicious CSRF and XSS code will be executed against HostBill resulting in the session information being sent to the malicious user thus allowing unauthorized access to the staff account within HostBill.
We have deemed this vulnerability to be rated as HIGH due to the fact that the staff account(s) can be hijacked.
This vulnerability was tested against HostBill 2014-02-24.
This vulnerability was patched in HostBill 2014-03-03.
If you are using previous version, it is highly recommended that you upgrade to HostBill 2014-03-03 as soon as possible. This vulnerability was discovered by Rack911 – a leading server management and security company.