Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ModernBill < 4.3.3 Multiple Vulnerabilities

Medium

Synopsis

The remote host is missing a critical security patch or upgrade.

Description

The remote host is running ModernBill, a web hosting application written in PHP. This version of ModernBill is vulnerable to several remote attacks. There are Cross-Site Scripting (XSS) flaws in the 'aid' and 'c_code' parameters of the orderwiz.php script. An attacker exploiting these flaws can inject script code into a URI. If the attacker can convince a user into browse a malicious URI, there is a risk of confidential data being sent back to the attacker. In addition, there is a flaw in the news.php script that would allow an attacker to execute arbitrary server-side code on the web server. Versions of ModerBill prior to 4.3.3 are also vulnerable to a SQL injection flaw. Successful exploitation would allow a remote attacker the ability to execute arbitrary code on the database server.

Solution

Upgrade to version 4.3.3 or higher.