HostBill Security Update
HostBill is a complete client management, billing and support system used by many web hosting companies. They have released a patch on January 06, 2014 to address few security vulnerabilities.
The following issues were patched in the recent updates:
[1] HostBill – Submit Ticket (Hidden Department) Input Validation Failure.
With this vulnerability, it is possible for a malicious user to submit a ticket to hidden departments and see the name of said departments due to an input validation failure. Many web hosts keep some private departments for the internal use. This vulnerability was address in the recent HostBill security update.
[2] HostBill – Estimate (Client) Input Validation Failure.
With this vulnerability, it is possible for a malicious users to brute force estimates belonging to any client due to input validation failures which could result in sensitive information being obtained. This vulnerability was address in the recent HostBill security update.
Both vulnerabilities were discovered by Rack911 (server management and security company). Apart from WHMCS, HostBill is also one of the widely used billing and support solution by web hosting companies. It provides the facility for auto provisioning shared hosting accounts, VPS, Cloud hosting. For data center, it is used for Colocation manager, IP manager, Cloud usage monitoring etc.