icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

ModernBill < 4.3.3 Multiple Vulnerabilities

Medium

Synopsis

The remote host is missing a critical security patch or upgrade.

Description

The remote host is running ModernBill, a web hosting application written in PHP. This version of ModernBill is vulnerable to several remote attacks. There are Cross-Site Scripting (XSS) flaws in the 'aid' and 'c_code' parameters of the orderwiz.php script. An attacker exploiting these flaws can inject script code into a URI. If the attacker can convince a user into browse a malicious URI, there is a risk of confidential data being sent back to the attacker. In addition, there is a flaw in the news.php script that would allow an attacker to execute arbitrary server-side code on the web server. Versions of ModerBill prior to 4.3.3 are also vulnerable to a SQL injection flaw. Successful exploitation would allow a remote attacker the ability to execute arbitrary code on the database server.

Solution

Upgrade to version 4.3.3 or higher.