Netbilling 'nbmember.cgi' script is reported prone to an information disclosure vulnerability. This issue may allow remote attackers to gain access to user authentication credentials and potentially sensitive configuration information.
Netbilling nbmember.cgi cmd Variable Information Disclosure
Remote / Network Access
Loss of Confidentiality
Netbilling nbmember.cgi contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when providing the 'test' parameter to the script, which could allow a remote attacker to locate the 'members-service.pwd' password file and the 'nbmember.cfg' file that contains the access key. With a specially crafted request containing the access key, a remote attacker could disclose sensitive user information resulting in a loss of confidentiality.
Upgrade to version 2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.