HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability

Post author:Kailash
Post published:March 4, 2014
Post category:Security
Post comments:0 Comments

HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability

HostBill is one of the widely used hosting billing and support automation system.

Vulnerability Description:

Due to both a CSRF and XSS vulnerability present within the Email Templates configuration page, it is possible for a malicious user to hijack staff accounts with minimal effort.

For example, the malicious user could submit a trouble ticket asking the staff member to check his website. Once the staff member views the website, the malicious CSRF and XSS code will be executed against HostBill resulting in the session information being sent to the malicious user thus allowing unauthorized access to the staff account within HostBill.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that the staff account(s) can be hijacked.

Vulnerable Version:

This vulnerability was tested against HostBill 2014-02-24.

Fixed Version:

This vulnerability was patched in HostBill 2014-03-03.

If you are using previous version, it is highly recommended that you upgrade to HostBill 2014-03-03 as soon as possible. This vulnerability was discovered by Rack911 – a leading server management and security company.

HostBill Email Templates CSRF/XSS Admin Hijack Vulnerability

You Might Also Like

cPanel TSR-2014-0007 Announcement

cPanel TSR 2014-0001 Full Disclosure

WordPress TimThumb Vulnerability – WebShot Remote Code Execution (0-day)

Leave a Reply Cancel reply