Hosting Controller - Multiple security vulnerabilities Release Date: 01/04/2002 Summary Hosting Controller is an all in one administrative hosting tools for Windows. It automates all hosting tasks and gives full control of each website to the respective owners. Hosting Controller is used widely by many hosting providers. More informations at http://www.hostingcontroller.com Vulnerable version: 1.4.1 and probably all other versions Vulnerability (1) - Directories Browsing Hosting Controller has a security flaw which allows outside attackers to browse any file and any directory on that server without any authentication. You're not allowed to read files. However, I believe the second vulnerability (explained below) will allow you to take control of the server. Example: Scripts that allow you to browse anywhere on the server. http://www.victim.com/advwebadmin/stats/statsbrowse.asp?filepath=c:\&Opt=3 http://www.victim.com/advwedadmin/serv_u/servubrowse.asp?filepath=c:\&Opt=3 http://www.victim.com/advwedadmin/adminsettings/browsedisk.asp?filepath=c:\&Opt=3 http://www.victim.com/advwedadmin/adminsettings/browsewebalizerexe.asp?filepath=c:\&Opt=3 http://www.victim.com/advwedadmin/SQLServ/sqlbrowse.asp?filepath=c:\&Opt=3 advwedadmin is the path to hosting controller script, replace advwebadmin with something else if necessary , for example /admin/ or /hostingcontroller/ Vulnerability (2) - Dot Dot Slash bug and autosignup/dsp_newwebadmin.asp The dsp_newwebadmin.asp script can be executed by typing www.victim.com/advwebadmin/autosignup/dsp_newwebadmin.asp which allows you to create a new domain name and a new account without the need of logging in as administrator. Login to the hosting controller after your account has been created by using the dsp_newwebadmin.asp. Once you have logged in, you should be able to use all of the options on the hosting controller's menu as an owner of the account. You will not be able to access the domain name you just created with dsp_newwebadmin.asp because it needs to be activated by the resadmin; so your domain name should be inactive ;) (OBVIOUSILY) I'll explain how you can gain control and execute code on that machine. If you click on directories option on the left handside, it will take you to file manager page and you are only allowed to manage files within <drive>:\\webspace\resadmin\youraccount\youraccount.com , but the filemanager.asp is also vulnerable, it's vulneralbe to the infamous dot dot slash bug /../ which allows directory traversal, so it should look something like this http://www.victim.com/advwebadmin/folders/filemanager.asp&siteindex=testing&sitename=testing.com&OpenPath=C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\ You'll have the ability to read, delete, rename file and upload file anywhere you want. All you need to do now is to upload something like ntdaddy.asp or cmdasp.asp to some active domain names to be able execute commands via web browser. You can upload nc.exe and execute nc.exe by calling an asp script from your browser. The possibilities are endless. Vendor has been contacted. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
This archive was generated by hypermail 2b30 : Sat Jan 05 2002 - 17:29:30 PST