Metamorfosec Security Advisory METS-2019-005 A division by zero in Hoteldruid before v2.3.1 FIRST PUBLISHED: June 6, 2019 VERSION: 1.0 VENDOR: DigitalDruid.Net PRODUCT: Hoteldruid VERSION AFFECTED: 2.3.0 (maybe prior versions are also affected) CVE-ID: CVE-2019-9084 PRODUCT DESCRIPTION: (from Official Website: http://www.hoteldruid.com) Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net. Thanks to the great flexibility of its web interface it can satisfy a wide range of demands, from those of bed & breakfasts or vacation houses with few apartments to those of hotels with hundreds of rooms. FINDING: In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a URI. It could allow an administrator to conduct remote denial of service (disrupting certain business functions of the product, i.e. preventing from table, description of rate, and photos of rate creations). PROOF OF CONCEPT: 1. Open http://[DOMAIN_NAME]/hoteldruid_2.3.0/hoteldruid/tab_tariffe.php?anno=[YEAR]&id_sessione=&numtariffa1=1 2. In the URL Address Bar, please add non-numeric value after number 1 in the numtariffa1 parameter 3. After that, press Enter to produce division by zero MITIGATION: Update to v2.3.1 or newer ADVISORY TIMELINE: Jan 20, 2019 - Vulnerability found Jan 24, 2019 - First contact to vendor and got responses Feb 21, 2019 - Vendor released v2.3.1. Requested CVE-ID Feb 25, 2019 - Got CVE-2019-9084 (still reserved) June 6, 2019 - Released METS-2019-005 v1.0 and requested to publish CVE-2019-9084 REVISION HISTORY: Version 1.0 (June 6, 2019) - First release REFERENCES: http://www.hoteldruid.com/en/download.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9084 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.