/ Trashflow 3.0 XSS / SQL Injection

Credit: g00se
Risk: Medium
Local: No
Remote: Yes

A blog post with information located here: ============ Introduction ============ This was a basic vulnerability analysis of (which I am required to use to pay my trash bill), and Trashflow 3.0, which updates from the Trash Hauler side. My disclosure intent was to force Ivy Computers Inc to re-assess their security posture as it was severely lacking. This is a full disclosure following their 90 day remediation period. ============ List Summary ============ -Account enumeration/PII Leak [major]: uses client side identification without a password to access billing software, revealing names/email/address/phone as well as partial CC data. >This client side validation is unobfuscated javascript -SQLI [major]- vulnerability contained in CC update field, giving access to billing database, on any user -XSS [minor]- vulnerability in email update field -DOS [minor]- no restriction on setting another user's password, could block all users from accessing their data Trashflow 3.0: -Hardcoded credentials [medium]- FTP hardcoded credentials available in plaintext during backup and update software operations -Hardcoded credentials [medium]- Software billing credentials hardcoded in helper binary cash_drawer_cc.exe (allows editing of user billing data) -Public Exploits [medium]- FTP servers run off vsFTPd 2.0.5, risking numerous DOS vulnerabilities

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top