hosting.controller.txt

`Hi,  
Here's my new advisory about Hosting Controller.  
  
Phuong  
  
Hosting Controller - Multiple vulnerabilities  
Date: 01/04/2002  
  
Summary  
-------  
  
Hosting Controller is an all-in-one administrative  
hosting tool for   
Windows.  
It automates a wide range of hosting tasks and  
provides control of each  
hosted site to the respective owners. Hosting  
Controller is now widely   
used by  
hosting providers and can be found at  
http://www.hostingcontroller.com.  
  
Systems Affected: Only the latest version,  
HostingController 1.4.1, was   
tested. (Probably all prior versions)  
  
Vulnerability 1 - Browsing Non-public Directories  
Allowed  
Vulnerability 2 - Dot Dot Slash bug and  
autosignup/dsp_newhc.asp  
  
Impact: An attacker may be able to browse directories  
not intended to   
be publically accessible and upload scripts to  
manipulate files and   
control administration of sites using the latest  
version of HostingController.  
  
Vendor contacted.  
  
  
Details  
-------  
  
Vulnerability 1 - Browsing Non-public Directories  
Allowed  
  
Hosting Controller has a security flaw which allows  
outside attackers   
to browse any file and any directory without  
authentication. Files can't be   
read, however the second vulnerability (explained  
below) would allow you to   
compromise the whole server.  
  
Sample scripts that allow browsing anywhere on the  
server:  
http://www.eg.com/hc/stats/statsbrowse.asp?filepath=c:\&Opt=3  
http://www.eg.com/hc/serv_u/servubrowse.asp?filepath=c:\&Opt=3  
http://www.eg.com/hc/adminsettings/browsedisk.asp?filepath=c:\&Opt=3  
http://www.eg.com/hc/adminsettings/browsewebalizerexe.asp?filepath=c:\&Opt=3  
http://www.eg.com/hc/SQLServ/sqlbrowse.asp?filepath=c:\&Opt=3  
  
The directory "hc" is an example of the path to the  
HostingController  
script on the sample domain. The actual "hc" directory  
name -- such as   
"admin" or "hostingcontroller" -- must be discovered  
for each "eg.com"   
and   
replaced in the above URL scripts.  
  
  
Vulnerability 2 - "Dot Dot Slash" bug and  
autosignup/dsp_newwebadmin.asp  
  
The dsp_newwebadmin.asp script from Hosting Controller  
can be   
executed   
by using, eg:  
  
  
http://www.eg.com/hc/autosignup/dsp_newwebadmin.asp  
  
This allows an attacker to create a new domain name  
and a new account  
without logging in as administrator. The attacker can  
then log into  
HostingController after the new account has been  
created using the   
script dsp_newwebadmin.asp.  
  
Once logged in, the attacker can use all  
HostingController menu   
options, as owner of the new account. The new domain  
name you just created,   
cannot yet be accessed because it needs to be  
activated by the "resadmin".   
  
To gain control of administration and execute  
arbitrary code on the   
hosting server, the attacker need only click on the  
HostingController's   
"Directories" option on the left-hand side which will  
lead   
to the "File Manager" page allowing and you are only  
allowed to manage files   
within  
<drive>:\\webspace\resadmin\youraccount\youraccount.com  
  
But the filemanager.asp of HostingController is also  
vulnerable to   
the well-known "dot dot slash" bug /../ allowing  
directory traversal, via a   
script URL such as:  
  
  
http://www.eg.com/hc/folders/filemanager.asp&siteindex=testing&sitename=  
testing.com&OpenPath=  
  
C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\  
  
The attacker then is able to read, delete, rename and  
upload files   
anywhere on the eg.com server. For example,  
ntdaddy.asp or cmdasp.asp can be   
uploaded to active domain names so that the attacker  
can execute commands via  
web browser. With a little bit of work, the attacker  
can also upload nc.exe   
and called nc.exe from an asp script ... Thereafter,  
the site is of course toast.  
  
Vendor contacted.  
  
  
__________________________________________________  
Do You Yahoo!?  
Send FREE video emails in Yahoo! Mail!  
http://promo.yahoo.com/videomail/  
`