Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:32103
HistoryMay 12, 2015 - 12:00 a.m.

HotExBilling Manager Cross-site scripting (XSS) vulnerability

2015-05-1200:00:00
vulners.com
24
JSON

Title:

HotExBilling Manager – Cross-site scripting (XSS) vulnerability

Credit:

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:

CVE-2015-2781

Date:

12-03-2015 (dd/mm/yyyy)

Vendor:

Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it designed billing solution to address Internet Cafй. Till today we have more 10000 installations across the globe.

Hotspot Express is one of the pioneers of complete WiFi solutions and has been serving for the past 10 years. Be it WiFi hardware from any leading manufacturer or software solutions to secure and manage wired or wireless networks, Hotspot Express has a solution. Whether you are from a big Corporate, SME, Hotel, Resort, Cyber Cafй, we have a cost effective solution for you. Not just for business alone, we have solution for Universities and colleges too.

Product:

HotExBilling Manager is an integrated Captive Portal/AAA/Billing software solution from Hotspot Express on LINUX platform.

Product link: http://www.hotspotexpress.in/products/hsp.html

Abstract:

Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Report-Timeline:

12-03-2013: Vendor notification
30-03-2013: Vendor notification (No response, Follow-up)
00-00-2013: Vendor Response/Feedback (No response)
00-00-2013: Vendor Fix/Patch (No response)
00-00-2013: Public or Non-Public Disclosure (No response)

Affected Version:

V73

Exploitation-Technique:

Remote

Severity Rating:

5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Details:

A Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Missing HttpOnly flag in cookie could allow an attacker to steal the document.cookie with successful XSS attack.

If the an attacker could hijack the admin user cookie, he could further use it to login to admin portal and can get overall control of the HotEx device, guest accounts and payment details.

Vulnerable Module(s):

hotspotlogin.cgi

Vulnerable Parameter:

reply

http://<Device IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

Caveats / Prerequisites:

No Prerequisites

Proof Of Concept:

1) Open below URL after replacing device IP,

http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&amp;reply=&#37;3cscript&#37;3ealert&#37;28document.cookie&#37;29&#37;3c&#37;2fscript&#37;3e&#37;2c&#37;20Invalid&#37;20username&#37;20or&#37;20Password

2) You should get a pop up with document cookie (PHPSESSID)

PoC image: http://i62.tinypic.com/2hgwubq.jpg

Credits:

Bhadresh Patel
Security Analyst
HelpAG (www.helpag.com)

Related

packetstorm 1
cve 1
prion 1
openvas 1
nessus 1
securityvulns 1
packetstorm
packetstorm
HotExBilling Manager 73 Cross Site Scripting
2015-04-06 00:00:00
cve
cve
CVE-2015-2781
2015-04-14 14:59:00
prion
prion
Cross site scripting
2015-04-14 14:59:00
openvas
openvas
Hotspot Express hotEx Billing Manager <= 73 Multiple Vulnerabilities - Active Check
2015-04-27 00:00:00
nessus
nessus
Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p2 Multiple Vulnerabilities
2015-05-21 00:00:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2015-05-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:32103
packetstorm1cve1prion1openvas1nessus1securityvulns1