what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

HotExBilling Manager 73 Cross Site Scripting

HotExBilling Manager 73 Cross Site Scripting
Posted Apr 6, 2015
Authored by Bhadresh Patel

HotExBilling Manager version 73 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2015-2781
SHA-256 | f89a76503b13c1babdd6ef06c3833e86ce72585726e830aa66ce9afa10898690

HotExBilling Manager 73 Cross Site Scripting

Change Mirror Download
Title:
====

HotExBilling Manager – Cross-site scripting (XSS) vulnerability

Credit:
======

Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com

CVE:
=====

CVE-2015-2781

Date:
====

12-03-2015 (dd/mm/yyyy)

Vendor:
======

Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it designed billing solution to address Internet Café. Till today we have more 10000 installations across the globe.

Hotspot Express is one of the pioneers of complete WiFi solutions and has been serving for the past 10 years. Be it WiFi hardware from any leading manufacturer or software solutions to secure and manage wired or wireless networks, Hotspot Express has a solution. Whether you are from a big Corporate, SME, Hotel, Resort, Cyber Café, we have a cost effective solution for you. Not just for business alone, we have solution for Universities and colleges too.

Product:
=======

HotExBilling Manager is an integrated Captive Portal/AAA/Billing software solution from Hotspot Express on LINUX platform.

Product link: http://www.hotspotexpress.in/products/hsp.html

Abstract:
=======

Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Report-Timeline:
============
12-03-2013: Vendor notification
30-03-2013: Vendor notification (No response, Follow-up)
00-00-2013: Vendor Response/Feedback (No response)
00-00-2013: Vendor Fix/Patch (No response)
00-00-2013: Public or Non-Public Disclosure (No response)

Affected Version:
=============

V73


Exploitation-Technique:
===================

Remote


Severity Rating:
===================

5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)


Details:
=======


A Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.

Missing HttpOnly flag in cookie could allow an attacker to steal the document.cookie with successful XSS attack.

If the an attacker could hijack the admin user cookie, he could further use it to login to admin portal and can get overall control of the HotEx device, guest accounts and payment details.

Vulnerable Module(s):

hotspotlogin.cgi

Vulnerable Parameter:

reply

http://<Device IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

Caveats / Prerequisites:
======================

No Prerequisites

Proof Of Concept:
================

1) Open below URL after replacing device IP,

http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password

2) You should get a pop up with document cookie (PHPSESSID)

PoC image: http://i62.tinypic.com/2hgwubq.jpg


Credits:
=======

Bhadresh Patel
Security Analyst
HelpAG (www.helpag.com)
Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    18 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    18 Files
  • 22
    May 22nd
    7 Files
  • 23
    May 23rd
    111 Files
  • 24
    May 24th
    27 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    6 Files
  • 28
    May 28th
    12 Files
  • 29
    May 29th
    31 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close