Home / os / winmobile

Trashbilling.com / Trashflow 3.0 XSS / SQL Injection

Posted on 13 May 2017

A blog post with information located here: https://thenopsled.com/trashbilling.html ============ Introduction ============ This was a basic vulnerability analysis of trashbilling.com (which I am required to use to pay my trash bill), and Trashflow 3.0, which updates trashbilling.com from the Trash Hauler side. My disclosure intent was to force Ivy Computers Inc to re-assess their security posture as it was severely lacking. This is a full disclosure following their 90 day remediation period. ============ List Summary ============ trashbilling.com: -Account enumeration/PII Leak [major]: trashbilling.com uses client side identification without a password to access billing software, revealing names/email/address/phone as well as partial CC data. >This client side validation is unobfuscated javascript -SQLI [major]- vulnerability contained in CC update field, giving access to billing database, on any user -XSS [minor]- vulnerability in email update field -DOS [minor]- no restriction on setting another user's password, could block all users from accessing their data Trashflow 3.0: -Hardcoded credentials [medium]- FTP hardcoded credentials available in plaintext during backup and update software operations -Hardcoded credentials [medium]- Software billing credentials hardcoded in helper binary cash_drawer_cc.exe (allows editing of user billing data) -Public Exploits [medium]- FTP servers run off vsFTPd 2.0.5, risking numerous DOS vulnerabilities

 

TOP