|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ulf Harnhammar (ulfh
update.uu.se)Date: Thu Jun 06 2002 - 16:09:41 CDT
CBMS: XSS and SQL Injection holes
PROGRAM: CBMS
VENDOR: Voxel Dot Net, Inc. <cbmsvoxel.net>
HOMEPAGE: http://www.voxel.net/projects/cbms/
VULNERABLE VERSIONS: 0.7 (and possibly earlier versions as well)
LOGIN REQUIRED: yes
SEVERITY: high
DESCRIPTION:
"The CBMS is a full featured client/billing management system designed from
the ground up to cater specifically to hosting providers. The software is a
PHP script package which uses mysql. Notable features include automated
invoicing, client search, multiple customizable packages for clients, and
client viewable real time invoice."
(direct quote from the program's project page at Freshmeat)
It is published under the terms of the Voxel Public License.
SECURITY HOLES:
CBMS is littered with XSS (Cross-site Scripting) and SQL Injection holes.
COMMUNICATION WITH VENDOR:
The vendor was contacted the first time on the 19th of May. No reply. They
were contacted again on the 24th of May. This time they replied that they were
working on a fixed version, which still hasn't been released.
// Ulf Harnhammar
ulfhupdate.uu.se
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]