Trashbilling.com suffered from account enumeration, cross site scripting, denial of service, and remote SQL injection vulnerabilities. Trashflow 3.0 suffers from denial of service and hard-coded credential vulnerabilities.
470b4eb23083c6d35beb60491c350e8d089794af3047da9432eb27938a471df2A blog post with information located here:
https://thenopsled.com/trashbilling.html
============
Introduction
============
This was a basic vulnerability analysis of trashbilling.com (which I am
required to use to pay my trash bill), and Trashflow 3.0, which updates
trashbilling.com from the Trash Hauler side. My disclosure intent was
to force Ivy Computers Inc to re-assess their security posture as it was
severely lacking. This is a full disclosure following their 90 day
remediation period.
============
List Summary
============
trashbilling.com:
-Account enumeration/PII Leak [major]: trashbilling.com uses client side
identification without a password to access billing software, revealing
names/email/address/phone as well as partial CC data.
>This client side validation is unobfuscated javascript
-SQLI [major]- vulnerability contained in CC update field, giving access
to billing database, on any user
-XSS [minor]- vulnerability in email update field
-DOS [minor]- no restriction on setting another user's password, could
block all users from accessing their data
Trashflow 3.0:
-Hardcoded credentials [medium]- FTP hardcoded credentials available in
plaintext during backup and update software operations
-Hardcoded credentials [medium]- Software billing credentials hardcoded
in helper binary cash_drawer_cc.exe (allows editing of user billing
data)
-Public Exploits [medium]- FTP servers run off vsFTPd 2.0.5, risking
numerous DOS vulnerabilities
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed