Results 1 to 3 of 3
  1. #1

    Modern Bill Vulnerabilities - 4.3.0 and prior

    I just got this email from the mailling list, thought I should pass it along.


    Vulnerable Systems:
    * ModernBill version 4.3.0 and prior

    Immune Systems:
    * ModernBill version 4.3.1 or newer

    Cross Site Scripting:
    The ModernBill order forms are prone to multiple cross site scripting
    issues. Bellow are a few examples of this particular issue:[XSS][XSS]

    This vulnerability could be used to steal cookie based authentication
    credentials within the scope of the current domain, or render hostile code
    in a victim's browser.

    Remote File Include Vulnerability:
    ModernBill ships with a directory titled "samples" that resides in the
    root ModernBill directory. This directory contains several files to help
    users learn how to customize ModernBill to specifically fit their needs.
    One of the scripts included in this directory is vulnerable to a very
    dangerous remote file include vulnerability. Lets have a look at the file

    // ~~~~~~~~~~~~~~~~~
    // ~~~~~~~~~~~~~~~~~

    If globals are set to on, and no include restrictions are in effect then
    we can include any PHP code of our choice remotely. Of course the hosting
    the malicious file to be included could not have php enabled, or the file
    would be parsed before it reached the victim server:

    This issue is very dangerous when present, but regardless of your server
    configuration you are still encouraged to upgrade immediately.

    A fix for the mentioned issues has been available for quite some time now
    and users should upgrade their ModernBill installations.

  2. #2

  3. #3
    Ahh man, I thought I was on top of this one!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts