← Advisories

iBilling v3.7.0 Multiple Stored and Reflected Cross-Site Scripting Vulnerabilities

Medium
Advisory ID
ZSL-2016-5332
Release Date
24 June 2016
Vendor
iBilling - http://www.ibilling.io
Affected Version
3.7.0
CVE
N/A
Tested On
nginx, PHP/5.5.9-1ubuntu4.6
Summary

Summary: The features you want, the simplicity you need! Beautifully designed for best User Interface & User Experience. The software That Works For YOUR Business! Get growing - with affordable, scalable business software. Find innovative ways to manage customers data, communicate with customer, know your business cashflow, net worth, send invoice to customer Hassle-free with single click payment reminder, payment confirmations & get paid online integrated with payment gateways.

Description

iBilling suffers from multiple cross-site scripting vulnerabilities. The issue is triggered when input passed via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
ibilling_xss.txtTXT
Disclosure Timeline
08.06.2016Vulnerability discovered.
08.06.2016First contact with vendor.
08.06.2016Vendor responds asking for details.
08.06.2016Vulnerability details sent to the vendor.
14.06.2016Follow up with vendor.
24.06.2016No response from the vendor.
24.06.2016Public security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://www.exploit-db.com/exploits/40022/
[2]https://cxsecurity.com/issue/WLB-2016060203
[3]https://packetstormsecurity.com/files/137666
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/114483
[5]https://exchange.xforce.ibmcloud.com/vulnerabilities/114486
Changelog
24.06.2016Initial release
28.06.2016Added reference [1], [2], [3], [4] and [5]