28 matches found
CVE-2007-6495
incnewuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named 1 db, 2 www, 3 Special, and 4 log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to...
CVE-2007-6498
Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the 1 email and 2 loginname parameters to Hosting/Addreseller.asp, 3 the sortfield parameter to accounts/accountmanager.asp, 4 the...
Cross site request forgery (csrf)
Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to obtain login access via a request to hosting/addreseller.asp with a username in the reseller parameter, followed by a request to AdminSettings/displays.asp with the DecideAction and ChangeSkin parameters...
Design/Logic Flaw
Hosting Controller 6.1 Hot fix 3.3 and earlier 1 allows remote attackers to change arbitrary user profiles via a request to Hosting/Addreseller.asp with modified loginname and email parameters; and 2 allows remote authenticated users to change a credit amount and increase a discount via an...
Design/Logic Flaw
Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to obtain sensitive information via 1 the AdminName and AdminLevel parameters to fp2000/NEWSRVR.asp, which discloses usernames; and 2 certain XML HTTP requests to hosting/css.asp using Microsoft.XMLHTTP or...
CVE-2007-6502
Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to obtain sensitive information via 1 the AdminName and AdminLevel parameters to fp2000/NEWSRVR.asp, which discloses usernames; and 2 certain XML HTTP requests to hosting/css.asp using Microsoft.XMLHTTP or...
CVE-2007-6503
Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to 1 import an arbitrary plan via a request to hosting/importhostingplans.asp; or 2 change an arbitrary plan via a request to hosting/AutoSignUpPlans.asp with the a save, b 30,...
CVE-2007-6502
Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to obtain sensitive information via 1 the AdminName and AdminLevel parameters to fp2000/NEWSRVR.asp, which discloses usernames; and 2 certain XML HTTP requests to hosting/css.asp using Microsoft.XMLHTTP or...
CVE-2007-6498
Multiple SQL injection vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to execute arbitrary SQL commands via the 1 email and 2 loginname parameters to Hosting/Addreseller.asp, 3 the sortfield parameter to accounts/accountmanager.asp, 4 the...
CVE-2007-6503
Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to 1 import an arbitrary plan via a request to hosting/importhostingplans.asp; or 2 change an arbitrary plan via a request to hosting/AutoSignUpPlans.asp with the a save, b 30,...
CVE-2006-5630
CVE-2006-5630 affects Hosting Controller 6.1 before Hotfix 3.3. The vulnerability enables remote deletion of a site’s virtual directory by tampering with the ForumID in DisableForum.asp, and creation of an arbitrary forum virtual directory via an empty ForumID in EnableForum.asp. Root cause: impr...
CVE-2006-5629
Summary of CVE-2006-5629 (CVELIST/NVD) : The vulnerability affects Hosting Controller 6.1 before Hotfix 3.3. It arises from inadequate sanitization of the ForumID parameter in two ASP scripts, EnableForum.asp and DisableForum.asp, allowing an unauthenticated attacker to inject SQL via the ForumID...
Hosting Controller 6.1 Hotfix 3.2 - Access
Hosting Controller 6.1 Hotfix 3.2 - Access Hosting Controller 6.1 Hotfix = 3.2 Multi Vuln. SQLInjection, Command Injection ------- KAPDA::59 - Hosting Controller 6.1 Hotfix = 3.2 Vendor: Hosting Controller Vendor URL: www.hostingcontroller.com Solution: Hotfix 3.3 Found Date: 7/1/2006 Release Dat...
Hosting Controller 6.1 Hotfix 3.2 - Access
Hosting Controller 6.1 Hotfix = 3.2 Multi Vuln. SQLInjection, Command Injection ------- KAPDA::59 - Hosting Controller 6.1 Hotfix = 3.2 Vendor: Hosting Controller Vendor URL: www.hostingcontroller.com Solution: Hotfix 3.3 Found Date: 7/1/2006 Release Date: 10/10/2006 Discussion:...
Hosting Controller <= 6.1 Hotfix 3.2 Remote Unauthenticated Vulns
Exploit for unknown platform in category web applications ================================================================= Hosting Controller = 6.1 Hotfix 3.2 Remote Unauthenticated Vulns ================================================================= Hosting Controller 6.1 Hotfix = 3.2 Multi...
Improper access control
Hosting Controller 6.1 stores forum/db/forum.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as user name and password credentials. NOTE: the provenance of this information is unknown; the details are obtained fr...
CVE-2006-1764
Hosting Controller 6.1 stores forum/db/forum.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as user name and password credentials. NOTE: the provenance of this information is unknown; the details are obtained fr...
CVE-2006-1764
Hosting Controller 6.1 stores forum/db/forum.mdb under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as user name and password credentials. NOTE: the provenance of this information is unknown; the details are obtained fr...
Sql injection
SQL injection vulnerability in search.asp in Hosting Controller 6.1 Hotfix 2.9 allows remote attackers to execute arbitrary SQL commands via the search parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information...
CVE-2006-1229
CVE-2006-1229 is a SQL injection vulnerability in the search.asp page of Hosting Controller 6.1 (Hotfix 2.9) that allows remote execution of arbitrary SQL commands via the search parameter. The core issue is an injectable parameter in the search functionality, resulting in partial confidentiality...