HotExBilling Manager 73 Cross Site Scripting

`Title:  
====  
  
HotExBilling Manager – Cross-site scripting (XSS) vulnerability  
  
Credit:  
======  
  
Name: Bhadresh Patel  
Company/affiliation: HelpAG  
Website: www.helpag.com  
  
CVE:  
=====  
  
CVE-2015-2781  
  
Date:  
====  
  
12-03-2015 (dd/mm/yyyy)  
  
Vendor:  
======  
  
Hotspot Express has been in the billing solution business since 1997 in its earlier name EasyBrowsing. Initially, it designed billing solution to address Internet Café. Till today we have more 10000 installations across the globe.  
  
Hotspot Express is one of the pioneers of complete WiFi solutions and has been serving for the past 10 years. Be it WiFi hardware from any leading manufacturer or software solutions to secure and manage wired or wireless networks, Hotspot Express has a solution. Whether you are from a big Corporate, SME, Hotel, Resort, Cyber Café, we have a cost effective solution for you. Not just for business alone, we have solution for Universities and colleges too.  
  
Product:  
=======  
  
HotExBilling Manager is an integrated Captive Portal/AAA/Billing software solution from Hotspot Express on LINUX platform.  
  
Product link: http://www.hotspotexpress.in/products/hsp.html  
  
Abstract:  
=======  
  
Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.  
  
Report-Timeline:  
============  
12-03-2013: Vendor notification  
30-03-2013: Vendor notification (No response, Follow-up)  
00-00-2013: Vendor Response/Feedback (No response)  
00-00-2013: Vendor Fix/Patch (No response)  
00-00-2013: Public or Non-Public Disclosure (No response)  
  
Affected Version:  
=============  
  
V73  
  
  
Exploitation-Technique:  
===================  
  
Remote  
  
  
Severity Rating:  
===================  
  
5 (AV:N/AC:L/Au:N/C:N/I:P/A:N)  
  
  
Details:  
=======  
  
  
A Cross-site scripting vulnerability in the HotEx Billing Manager software enables an anonymous attacker to inject client-side script into Web pages viewed by other users.  
  
Missing HttpOnly flag in cookie could allow an attacker to steal the document.cookie with successful XSS attack.  
  
If the an attacker could hijack the admin user cookie, he could further use it to login to admin portal and can get overall control of the HotEx device, guest accounts and payment details.  
  
Vulnerable Module(s):  
  
hotspotlogin.cgi  
  
Vulnerable Parameter:  
  
reply  
  
http://<Device IP>/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password  
  
Caveats / Prerequisites:  
======================  
  
No Prerequisites  
  
Proof Of Concept:  
================  
  
1) Open below URL after replacing device IP,  
  
http://172.1.1.1/cgi-bin/hotspotlogin.cgi?res=failed&reply=%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e%2c%20Invalid%20username%20or%20Password  
  
2) You should get a pop up with document cookie (PHPSESSID)  
  
PoC image: http://i62.tinypic.com/2hgwubq.jpg  
  
  
Credits:  
=======  
  
Bhadresh Patel  
Security Analyst  
HelpAG (www.helpag.com)  
`