Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

alabanza.txt

🗓️ 27 Sep 2000 00:00:00Reported by Weihan LeowType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Critical vulnerability allows unauthorized domain manipulation in Alabanza web hosting control panels.

Code
`  
Vulnerability: Ability to add/modify domains in name servers of webhosting  
companies who are reselling for Alabanza.  
  
Vendor Contacted: Yes, 09-14-99 - Hole still exists.  
  
==========================================================================  
Hello everyone, I currently discovered a serious bug in the control  
panel that can really bring a webhost to it's knees. This hole is for the  
control panel of all Alabanza based resellers/hosts. There could be more  
bugs but I did not take the time to find them yet. This is serious enough  
since you can delete all resold domains for a particulr webhosting  
company. You can also change the default MX and CNAME records of all  
associated domains.  
  
By copying the following url to *most* alabanza host resellers, you have  
the ability to add a domain to their NS without the control panel user  
name and password:  
  
http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm  
*The above link has been broken to prevent abuse. If you are an Alabanza  
based host/reseller, you can easily fix it*  
  
I have tested this on multiple domains and so far, most of them worked.  
You can substitute domain.com for any Alabanza host/reseller domain and  
for the domain you want DNS set up for, substitute HAHAHA.org for it. I  
also changed the ip to localhost instead of whatever was in there. The ip  
you put after IP= is the ip the domain will resolve to.  
  
Here is an example after typing in the above fixed link with a proper  
Alabanza domain in the beginning.  
  
Name Server Manager  
Domain HAHAHA.org will be added within 1 hour!  
Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!  
  
Please click here to go back.  
  
After the submission of the domain, you are even given a link to take a  
look at the changes to be made. From this page, you can delete as well  
as modify all associated domains:  
  
http://www.domain.com/cp/rac/nsManager.cgi?Language=english  
*Again, it's been broken*  
  
Again, no user name and password is required.  
  
This is one of the exploits I have currently found in the control panel.  
I have not looked further since this notice should make everyone aware of  
what potential problems can exist. Serious damage to a host can be caused  
through this.  
  
If you would like to get it fixed, you better email the admins at  
Alabanza. It's been more than a week since I have contacted them and no  
fix yet. Hopefully, this will speed them up.  
  
Weihan Leow  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Sep 2000 00:00Current
7.4High risk
Vulners AI Score7.4
vulnerabilityweb hostingalabanzadomain manipulationcontrol panelresellersecurity flaw.
22