Trashbilling.com / Trashflow 3.0 XSS / SQL Injection

Published
Credit
Risk
2017.05.14
g00se
Medium
CWE
CVE
Local
Remote
CWE-89
CWE-79
N/A
No
Yes

A blog post with information located here:
https://thenopsled.com/trashbilling.html

============
Introduction
============

This was a basic vulnerability analysis of trashbilling.com (which I am
required to use to pay my trash bill), and Trashflow 3.0, which updates
trashbilling.com from the Trash Hauler side. My disclosure intent was
to force Ivy Computers Inc to re-assess their security posture as it was
severely lacking. This is a full disclosure following their 90 day
remediation period.

============
List Summary
============

trashbilling.com:

-Account enumeration/PII Leak [major]: trashbilling.com uses client side
identification without a password to access billing software, revealing
names/email/address/phone as well as partial CC data.
>This client side validation is unobfuscated javascript
-SQLI [major]- vulnerability contained in CC update field, giving access
to billing database, on any user
-XSS [minor]- vulnerability in email update field
-DOS [minor]- no restriction on setting another user's password, could
block all users from accessing their data

Trashflow 3.0:

-Hardcoded credentials [medium]- FTP hardcoded credentials available in
plaintext during backup and update software operations
-Hardcoded credentials [medium]- Software billing credentials hardcoded
in helper binary cash_drawer_cc.exe (allows editing of user billing
data)
-Public Exploits [medium]- FTP servers run off vsFTPd 2.0.5, risking
numerous DOS vulnerabilities





See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com