Reporting massive exploits

ProfFrnswrth · November 07, 2013, 03:51:46 PM

I was just curious how I would go about reporting major exploits in HostBills own website that can allow one access to download HostBill without having to be logged into a user as well as have direct access to HostBill's own websites system files.

Danny · November 07, 2013, 05:23:55 PM

You can try to open a ticket in the licensing department, this is the only one that is for free but you need a account on hostbill to open the ticket.

nibb · November 08, 2013, 04:29:52 PM

Since they don´t want to be contacted, I would post the exploit in a public place like Web hosting talk, maybe they are hacked and they learn from it how idiotic their attitude is.

Since they don´t want to be contacted what other alternative do you have except posting it in a public place?

If they require registration, it means people that do not use their product and find an exploit cannot report it to them.

You are to kind to waste your time doing it, in particular because they will not waste 1 second on you, they want to be paid for that.

ProfFrnswrth · November 08, 2013, 05:00:11 PM

I would like to work it out to where I could report the exploits and perhaps get a free license. Will consider by end of the day today.

This exploit is pretty massive, allows you to download the latest version of HostBill (pre 4.6 version w/ all templates modules) without any authentication and also access there own website and view certain directories where someone could copy all the information.

nibb · November 09, 2013, 01:47:35 PM

Send me a PM and I will try to contact them since I tend to receive a reply from them.

Fusionhost · November 11, 2013, 05:06:59 PM

I have Kris on IM

ProfFrnswrth · November 15, 2013, 06:42:48 PM

Used to be that the link:

http://hostbillapp.com/clientarea/index.php?cmd=module&module=dw&upgr

Gave you direct access to the download and able to bypass due to an old cPanel module they had that let someone install HostBill directly from cPanel.

Also a lot of the folders in the HostBill installation are missing index.php folders. Since HostBills website uses the same exact installation as the one they provide. Those same folders were missing index.php files so that someone could gain direct access to the folders (Example was orderpages and templates) to download the .tpl files

nibb · November 15, 2013, 07:53:23 PM

That is not a security exploit but can be a considered a security risk or not, depending on how you want your web server working.

Its calling indexing and cPanel has this turned on by default, reason why you should always put a index file in folders or secure them with .htaccess but of course the best thing is to turn directory index off in all servers just in case you avoid of putting an index into a folder or you forgot.

Its not critical issue, since a visitor can just browse your files anyway , nothing he can´t do either if he knows you use hostbill and knows which files to try to pull in the browser. It would be a security risk if you let someone browse a folder for content that is not supposed to browse or look but in other cases this is actually desired, in case of someone providing public downloads, someone can easily browse nicely all files to download, reason probably why cPanel has this turned as on by default, since you can always disable it manually on each folder with some file or .htaccess file.

I though you where referring to an exploit in the software itself. Its just a misconfiguration on their install.

About the cPanel download module you mentioned, not sure since its not up anymore. What exactly where you able to download on that link?