« Vulnerability: ModernBill Insecure CURL Settings
Vulnerability: AWBS magic_quotes_gpc “Off” SQL Injection and XSS »

Vulnerability: AWBS Dedicated Server Info Visible to All Users

Published
by
justin
on June 10, 2007
in Security Vulnerabilities
. Tags: , .

Advisory: AWBS Dedicated Server Info Visible to All Users
Release Date: 2007-06-10
Last Modified: 2007-07-26
Author: Justin Samuel [http://www.justinsamuel.com]

Application: AWBS < 2.6.0
Severity: Less Critical
Impact: Disclosure of sensitive information
Vendor Status: Vendor released version 2.6.0 to address issue. Testing still needed to verify that issue is corrected.

Vendor: Total Online Solutions, Inc.
App. Website: http://www.awbs.com/
References: http://www.justinsamuel.com/2007/06/10/awbs-dedicated-server-info-visible-to-all-users-vulnerability/

————————————————————————–

Description:

Advanced Webhost Billing System (AWBS) allows any user access to the details of
all dedicated servers sold through AWBS.

The information made available about all dedicated servers includes:
- Server hostname
- Main IP address
- Admin username
- Nameservers

————————————————————————–

Proof of Concept:

Proof of concept exploit code has been provided to the vendor.

————————————————————————–

Disclosure Timeline:

2007-06-10: Informed AWBS developers of vulnerability details by email.

2007-07-26: Public disclosure.

————————————————————————–

Recommendations:

If using AWBS to sell dedicated servers, remove the file smanage.php until the
vendor releases a fix or upgrade to patched version of software.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

0 Responses to “Vulnerability: AWBS Dedicated Server Info Visible to All Users”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

« Vulnerability: ModernBill Insecure CURL Settings
Vulnerability: AWBS magic_quotes_gpc “Off” SQL Injection and XSS »