Hosting Controller planmanagerstep1.asp Arbitrary Unrestricted Plan Creation

2005-07-15T19:11:00
ID OSVDB:17917
Type osvdb
Reporter Soroush Dalili(irsdl@yahoo.com)
Modified 2005-07-15T19:11:00

Description

Vulnerability Description

Hosting Controller contains a flaw that may allow a remote attacker to create arbitrary plans. The problem is that the application does not restrict access to the 'planmanagerstep1.asp' script, which may allow an authenticated remote attacker to create arbitrary plans resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Hosting Controller contains a flaw that may allow a remote attacker to create arbitrary plans. The problem is that the application does not restrict access to the 'planmanagerstep1.asp' script, which may allow an authenticated remote attacker to create arbitrary plans resulting in a loss of integrity.

Manual Testing Notes

http://[target]/admin/hosting/planmanagerstep1.asp

References:

Vendor URL: http://www.hostingcontroller.com/ Security Tracker: 1014496 Secunia Advisory ID:16115 Related OSVDB ID: 17916 Related OSVDB ID: 17918 Related OSVDB ID: 17915 Nessus Plugin ID:19254