| Posted by Daniel B, 05-29-2013, 02:05 PM | | Surprised I haven't seen a thread about this yet...
Just saw two posts about severe vulnerabilities in both of these newer versions. I do not want to post the links here because they contain the process for actually carrying out the exploit.
I'm sending the links to Steven/Patrick as I know they love to look into this type of stuff.
Hopefully they will post more details shortly that won't actually compromise anyone's installs.
----------
In the mean time, I would suggest anyone using Hostbill to block public access to cpupdate.php until they release a patch.
Not sure what to recommend for clientexec, because the files affected can't be blocked without shutting down the entire billing system...
|
| Posted by Daniel B, 05-29-2013, 02:10 PM | | Oh, the Hostbill issue can result in a complete database dump written to any file of choice...so I'd say it's a pretty severe issue (since everything, including credit card information) is stored in the database
|
| Posted by Patrick, 05-29-2013, 02:32 PM | | We took a quick look and can confirm that both exploits are real and incredibly dangerous. The HostBill exploit allows someone to dump the entire database and download it. Blocking access to /includes/cpupdate.php as Daniel said is vital at the moment since this does appear to have been leaked out to the public.
If someone has an active (free) support account with HostBill, tell Kris to contact Daniel or Steven and/or myself to get a copy of the exploit. We were not the ones who found it, so who knows how many people are aware of it at this point.
|
| Posted by Clientexec-Matt, 05-29-2013, 02:37 PM | | I haven't heard of anything like this in ClientExec.
Can you e-mail me at matt@clientexec.com with more information on this?
|
| Posted by Patrick, 05-29-2013, 02:39 PM | | Talking to Alberto now.
|
| Posted by Matthew_B, 05-29-2013, 03:11 PM | | We have now blocked access to ours, a pretty serious exploit here.
|
| Posted by Inertia Networks, 05-29-2013, 03:26 PM | | Yuck...
I'm glad we are moving to Blesta soon!
|
| Posted by dediserve, 05-29-2013, 03:35 PM | | Kris has confirmed:
Working on patch now!
Please remove /includes/cpupdate.php
|
| Posted by dediserve, 05-29-2013, 03:45 PM | | patch has been released https://hostbillapp.com/clientarea/p...4.6.0_4324.zip
|
| Posted by astanton, 05-29-2013, 03:52 PM | | Why did he do this? Why did he want to take everyones data?
Was that legal? It is very mean.
|
| Posted by zacharooni, 05-29-2013, 03:57 PM | | astanton;
Not sure where you're getting that information. That would be a very unwise course of action for any software vendor.
|
| Posted by Daniel B, 05-29-2013, 04:00 PM | | would be nice if he would add it to the autoupgrader for those who have reseller licenses and no access to the clientarea...
and I dunno...maybe an official announcement...
|
| Posted by nibb, 05-29-2013, 04:17 PM | | It seems now someone will give me credit when I said the auto update feature on a software like this was the most stupid feature ever.
A billing software like this, should only call a server home for a license check. Never ever download anything from remotely servers. You could compromise a server and send fake updates to everyone.
Now a php file that updates your install? How dangerous, since it needs to have full access to the account.
It seems this exploit targets exactly that feature. But I would like someone to send me a PM on how exactly to replicate this because I tried in my install and could not make the dump.
|
| Posted by Dathorn-Andrew, 05-29-2013, 04:20 PM | | Any other details on the ClientExec vulnerability? Will need to address this with our clients whom use our resold ClientExec licenses.
|
| Posted by Patrick, 05-29-2013, 04:22 PM | | They are working on it now and will have a patch out ASAP!
|
| Posted by Alberto, 05-29-2013, 05:04 PM | | ClientExec has released version 4.6.3 to address these issues: https://www.clientexec.com/members/i...&view=FileList
Please take a look at the changelog, until we send out an announcement, for more information on what is included in this release.
We have been asked so I also wanted to add that if you have been upgraded or your CE was installed by one of our staff members in the last three months then please submit a ticket and we will gladly upgrade you to this release at no additional cost. Also it goes without mention but if you have problems installing and upgrading on your own please contact us and we will make sure to get you all sorted out.
Last edited by Alberto; 05-29-2013 at 05:10 PM.
Reason: update concerning previous upgrades
|
| Posted by techjr, 05-29-2013, 05:22 PM | | Where are you getting this information?
I'm actually confused by this. It appears to be patched by both vendors which is great. But the same exploit worked on both. Do they share a framework or was it simply a coincidence?
I actually couldn't find any information on the exploit so regardless I'm glad the information was posted on the forum. Thank you.
|
| Posted by Clientexec-Matt, 05-29-2013, 05:24 PM | | The two exploits were different, and was just bundled together in this forum post.
|
| Posted by zacharooni, 05-29-2013, 05:29 PM | | From HostBill support:
|
| Posted by techjr, 05-29-2013, 05:30 PM | | Thanks for clearing that up. My failed reading comprehension told me it was the same file in my head
|
| Posted by brianoz, 05-29-2013, 09:08 PM | | Technology exists to make self-update very secure. If the updates are signed on the server using a private key (with password manually entered), and the clients only accept valid signed updates, then you are pretty much as secure as can be done with today's technology. An additional layer of verification of the server, done differently, should probably be added.
|
|
 Add to Favourites
 Print this Article
|
