Detections
Analytics
ModernBill < 4.3.3 Multiple Vulnerabilities
medium Nessus Network Monitor Plugin ID 2812
Synopsis
The remote host is missing a critical security patch or upgrade.Description
The remote host is running ModernBill, a web hosting application written in PHP. This version of ModernBill is vulnerable to several remote attacks. There are Cross-Site Scripting (XSS) flaws in the 'aid' and 'c_code' parameters of the orderwiz.php script. An attacker exploiting these flaws can inject script code into a URI. If the attacker can convince a user into browse a malicious URI, there is a risk of confidential data being sent back to the attacker. In addition, there is a flaw in the news.php script that would allow an attacker to execute arbitrary server-side code on the web server. Versions of ModerBill prior to 4.3.3 are also vulnerable to a SQL injection flaw. Successful exploitation would allow a remote attacker the ability to execute arbitrary code on the database server.Solution
Upgrade to version 4.3.3 or higher.See Also
http://www.gulftech.org/?node=research&article_id=00067-04102005
http://archives.neohapsis.com/archives/bugtraq/2005-04/0129.html
http://www.moderngigabyte.com/modernbill/forums/showthread.php?t=20520
Plugin Details
Severity: Medium
ID: 2812
Family: CGI
Published: 4/11/2005
Updated: 3/6/2019
Nessus ID: 18008
Risk Information
VPR
Risk Factor: Medium
Score: 6.6
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 6.5
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Temporal Score: 5.5
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:F/RL:U/RC:X
Vulnerability Information
CPE: cpe:/a:moderngigabyte:modernbill