Sphera HostingDirector VDS Control Panel

vendor:

HostingDirector VDS Control Panel

by:

SecurityFocus

8.8

CVSS

HIGH

Spoofing

287

CWE

Product Name: HostingDirector VDS Control Panel

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Sphera HostingDirector VDS Control Panel

An attacker can connect to the HostingDirector server and spoof HTTP referrer data to bypass HostingDirector authentication systems. This allows the attacker to make arbitrary modifications to other HostingDirector account configurations.

Mitigation:

Implement authentication mechanisms that are not vulnerable to spoofing.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/7896/info

Sphera HostingDirector VDS Control Panel has been reported prone to a vulnerability where an attacker may make arbitrary account configuration modifications.

It has been reported that an attacker, may connect to the HostingDirector server and spoof HTTP referrer data to bypass HostingDirector authentication systems. It is then possible to make arbitrary modifications to other HostingDirector account configurations.

http://www.example.com/[INSTALLATION PATH]/dev/VDS/submitted.php?[TARGET
USER]\activeservices\http||watchdog_running=[false]&restart_vds=on&success_m
sg=Remote USER VDS restarted trough this kind of attack/watch dog disabled.