Metamorfosec Security Advisory METS-2019-006 An Invalid Arguments in Hoteldruid before v2.3.1 FIRST PUBLISHED: June 6, 2019 VERSION: 1.0 VENDOR: DigitalDruid.Net PRODUCT: Hoteldruid VERSION AFFECTED: 2.3.0 (maybe prior versions are also affected) CVE-ID: CVE-2019-9085 PRODUCT DESCRIPTION: (from Official Website: http://www.hoteldruid.com) Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net. Thanks to the great flexibility of its web interface it can satisfy a wide range of demands, from those of bed & breakfasts or vacation houses with few apartments to those of hotels with hundreds of rooms. FINDING: Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php. PROOF OF CONCEPT: 1. Create a reservation first 2. Go to Reservations Tab 3. At Document Type, please choose Invoice and click View Button 4. Copy link address to URL Address Bar for available invoice 5. In the URL Address Bar, please replace the value of n_file parameter with any non-numeric value to produce invalid arguments error message MITIGATION: Update to v2.3.1 or newer ADVISORY TIMELINE: Jan 20, 2019 - Vulnerability found Jan 24, 2019 - First contact to vendor and got responses Feb 21, 2019 - Vendor released v2.3.1. Requested CVE-ID Feb 25, 2019 - Got CVE-2019-9085 (still reserved) June 6, 2019 - Released METS-2019-006 v1.0 and requested to publish CVE-2019-9085 REVISION HISTORY: Version 1.0 (June 6, 2019) - First release REFERENCES: http://www.hoteldruid.com/en/download.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9085 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.