localhost
Random ramblings from someone working in InfoSec

contact me@localhost.re
archive - rss
2013/05/29

Another day, another billing panel. Found a sweet vulnerability in HostBill "Security is critical".

Entire database dump written to a file of our choice. Super-duper validation of access level (none).

/includes/cpupdate.php?do=backup&filename=../templates_c/DB_Dump.txt&login_username=0&password=0

must see

You can also use POST.

Oh, and if really wanted to, you can modify your client name or something to <?php eval(...); ?> and set the filename extension to php. Credit cards are stored in the database, encryption key is in /includes/config.php

PS: In case you wanted to report this vulnerability to them it costs only $75. No other way to contact them.