Trashbilling.com / Trashflow 3.0 XSS / SQL Injection

2017.05.14
Credit: g00se
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

A blog post with information located here: https://thenopsled.com/trashbilling.html ============ Introduction ============ This was a basic vulnerability analysis of trashbilling.com (which I am required to use to pay my trash bill), and Trashflow 3.0, which updates trashbilling.com from the Trash Hauler side. My disclosure intent was to force Ivy Computers Inc to re-assess their security posture as it was severely lacking. This is a full disclosure following their 90 day remediation period. ============ List Summary ============ trashbilling.com: -Account enumeration/PII Leak [major]: trashbilling.com uses client side identification without a password to access billing software, revealing names/email/address/phone as well as partial CC data. >This client side validation is unobfuscated javascript -SQLI [major]- vulnerability contained in CC update field, giving access to billing database, on any user -XSS [minor]- vulnerability in email update field -DOS [minor]- no restriction on setting another user's password, could block all users from accessing their data Trashflow 3.0: -Hardcoded credentials [medium]- FTP hardcoded credentials available in plaintext during backup and update software operations -Hardcoded credentials [medium]- Software billing credentials hardcoded in helper binary cash_drawer_cc.exe (allows editing of user billing data) -Public Exploits [medium]- FTP servers run off vsFTPd 2.0.5, risking numerous DOS vulnerabilities


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top