lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2d50bb6e1f9549c78de5c409c734869d@AEDXBMB01.helpag.com>
Date: Mon, 6 Apr 2015 15:29:06 +0000
From: Bhadresh Patel <Bhadresh.Patel@...pag.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] HotExBilling Manager – Cross-site scripting (XSS) vulnerability


Title:
====

HotExBilling Manager – Cross-site scripting (XSS) vulnerability

Credit:
======

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:
=====


CVE-2015-2781

Date:
====

12-03-2015 (dd/mm/yyyy)

Vendor:
======


Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it designed billing solution to address Internet Café. Till today we have more 10000 installations across the globe.


Hotspot Express is one of the pioneers of complete WiFi solutions and has been serving for the past 10 years. Be it WiFi hardware from any leading manufacturer or software solutions to secure and manage wired or wireless networks, Hotspot Express has a solution. Whether you are from a big Corporate, SME, Hotel, Resort, Cyber Café, we have a cost effective solution for you. Not just for business alone, we have solution for Universities and colleges too.

Product:
=======


HotExBilling Manager is an integrated Captive Portal/AAA/Billing software solution from Hotspot Express on LINUX platform.

Product link: http://www.hotspotexpress.in/products/hsp.html

Abstract:
=======

Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Report-Timeline:
============
12-03-2013: Vendor notification

30-03-2013: Vendor notification (No response, Follow-up)
00-00-2013: Vendor Response/Feedback (No response)
00-00-2013: Vendor Fix/Patch (No response)
00-00-2013: Public or Non-Public Disclosure (No response)

Affected Version:
=============

V73



Exploitation-Technique:
===================


Remote


Severity Rating:
===================

5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)



Details:
=======


A Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Missing HttpOnly flag in cookie could allow an attacker to steal the document.cookie with successful XSS attack.

If the an attacker could hijack the admin user cookie, he could further use it to login to admin portal and can get overall control of the HotEx device, guest accounts and payment details.

Vulnerable Module(s):

hotspotlogin.cgi

Vulnerable Parameter:

reply

http://<Device IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

Caveats / Prerequisites:
======================

No Prerequisites

Proof Of Concept:
================

1) Open below URL after replacing device IP,


http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password<http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%2C%20Invalid%20username%20or%20Password>


2) You should get a pop up with document cookie (PHPSESSID)



PoC image: http://i62.tinypic.com/2hgwubq.jpg'<http://i62.tinypic.com/2hgwubq.jpg%27>



Credits:
=======

Bhadresh Patel

Security Analyst

HelpAG (www.helpag.com)



  Bhadresh Patel
  Security Analyst
  T: +97144405666 [cid:image79dd9d.JPG@...98561.409bce74]  F: +971 4 363 6742 [cid:image79dd9d.JPG@...98561.409bce74]  M: +971529172297
[cid:imagec280bf.PNG@...8c76d.478b05fd]
[cid:image20c7d7.JPG@...a6218.4a807928]<www.helpag.com>
[cid:image2d9fbe.PNG@...2bb0d.45a3f25d]
[cid:imagef83357.JPG@...e4f8d.43a75a96] [cid:image6e9e60.BMP@...ced30.4abd1e5a] <https://www.facebook.com/pages/help-AG-Middle-East/185411873637>       [cid:imagee2d459.BMP@...ce4b9.45804606] <http://www.linkedin.com/company/help-ag>       [cid:image6c5f0f.JPG@...cc3df.44ace014] <http://www.youtube.com/user/helpag>








Download attachment "image79dd9d.JPG" of type "image/jpeg" (1831 bytes)

Download attachment "imagec280bf.PNG" of type "image/png" (729 bytes)

Download attachment "image20c7d7.JPG" of type "image/jpeg" (33823 bytes)

Download attachment "image2d9fbe.PNG" of type "image/png" (1903 bytes)

Download attachment "imagef83357.JPG" of type "image/jpeg" (16041 bytes)

Download attachment "image6e9e60.BMP" of type "image/bmp" (5634 bytes)

Download attachment "imagee2d459.BMP" of type "image/bmp" (5634 bytes)

Download attachment "image6c5f0f.JPG" of type "image/jpeg" (8450 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ