[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

HotExBilling Manager Cross-site scripting (XSS) vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: HotExBilling Manager Cross-site scripting (XSS) vulnerability
From: bhadresh.patel@xxxxxxxxxx
Date: Sun, 5 Apr 2015 19:30:15 GMT

Title:
====

HotExBilling Manager ? Cross-site scripting (XSS) vulnerability

Credit:
======

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:
=====

CVE-2015-2781

Date:
====

12-03-2015 (dd/mm/yyyy)

Vendor:
======

Hotspot Express has been in the billing solution business since 1997 in its 
earlier name EasyBrowsing. Initially, it designed billing solution to address 
Internet Café. Till today we have more 10000 installations across the globe.

Hotspot Express is one of the pioneers of complete WiFi solutions and has been 
serving for the past 10 years. Be it WiFi hardware from any leading 
manufacturer or software solutions to secure and manage wired or wireless 
networks, Hotspot Express has a solution. Whether you are from a big Corporate, 
SME, Hotel, Resort, Cyber Café, we have a cost effective solution for you. Not 
just for business alone, we have solution for Universities and colleges too.

Product:
=======

HotExBilling Manager is an integrated Captive Portal/AAA/Billing software 
solution from Hotspot Express on LINUX platform.

Product link: http://www.hotspotexpress.in/products/hsp.html

Abstract:
=======

Cross-site scripting vulnerability in the HotEx Billing Manager software 
enables an anonymous attacker to inject client-side script into Web pages 
viewed by other users.

Report-Timeline:
============
12-03-2013: Vendor notification
30-03-2013: Vendor notification (No response, Follow-up)
00-00-2013: Vendor Response/Feedback (No response)
00-00-2013: Vendor Fix/Patch (No response)
00-00-2013: Public or Non-Public Disclosure (No response)

Affected Version:
=============

V73


Exploitation-Technique:
===================

Remote


Severity Rating:
===================

5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)


Details:
=======


A Cross-site scripting vulnerability in the HotEx Billing Manager software 
enables an anonymous attacker to inject client-side script into Web pages 
viewed by other users.

Missing  HttpOnly flag in cookie could allow an attacker to steal the 
document.cookie with successful XSS attack.

If the an attacker could hijack the admin user cookie, he could further use it 
to login to admin portal and can get overall control of the HotEx device, guest 
accounts and payment details.

Vulnerable Module(s):

hotspotlogin.cgi

Vulnerable Parameter:

reply

http://<Device 
IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

Caveats / Prerequisites:
======================

No Prerequisites

Proof Of Concept:
================

1) Open below URL after replacing device IP,

http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

2) You should get a pop up with document cookie (PHPSESSID)

PoC image: http://i62.tinypic.com/2hgwubq.jpg


Credits:
=======

Bhadresh Patel
Security Analyst
HelpAG (www.helpag.com)

Prev by Date: [ MDVSA-2015:192 ] subversion
Next by Date: Security Audit Notes - Kerberos Security Issues (krb5-1.13 stable) - Advanced Information Security Corp.
Previous by thread: [ MDVSA-2015:192 ] subversion
Next by thread: Security Audit Notes - Kerberos Security Issues (krb5-1.13 stable) - Advanced Information Security Corp.
Index(es):
- Date
- Thread