Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win4974.htm

Hosting Controller web interface bybasses admin authentication



7th Jan 2002 [SBWID-4974]
COMMAND

	HostingController web interface bybasses admin authentication

SYSTEMS AFFECTED

	HostingController 1.4.1 and probably all other versions

PROBLEM

	Phuong Nguyen posted :
	

	 

	Vulnerability (1) - Directories Browsing

	

	Hosting Controller has a security flaw which  allows  outside  attackers
	to browse any  file  and  any  directory  on  that  server  without  any
	authentication. You\'re not allowed to read files. However, I believe  the
	second vulnerability (explained below) will allow you  to  take  control
	of the server.
	

	Example: Scripts that allow you to browse anywhere on the server.
	

	http://www.victim.com/advwebadmin/stats/statsbrowse.asp?filepath=c:\\&Opt=3

	

	http://www.victim.com/advwedadmin/serv_u/servubrowse.asp?filepath=c:\\&Opt=3

	

	http://www.victim.com/advwedadmin/adminsettings/browsedisk.asp?filepath=c:\\&Opt=3

	

	http://www.victim.com/advwedadmin/adminsettings/browsewebalizerexe.asp?filepath=c:\\&Opt=3

	

	http://www.victim.com/advwedadmin/SQLServ/sqlbrowse.asp?filepath=c:\\&Opt=3

	

	advwedadmin  is  the  path  to  hosting   controller   script,   replace
	advwebadmin with something else if necessary , for  example  /admin/  or
	/hostingcontroller/
	

	

	Vulnerability (2) - Dot Dot Slash bug and autosignup/dsp_newwebadmin.asp

	

	The dsp_newwebadmin.asp script can be executed by typing
	

	www.victim.com/advwebadmin/autosignup/dsp_newwebadmin.asp

	

	which allows you to create a new domain name and a new  account  without
	the  need  of  logging  in  as  administrator.  Login  to  the   hosting
	controller  after  your  account  has  been   created   by   using   the
	dsp_newwebadmin.asp. Once you have logged in, you should be able to  use
	all of the options on the hosting controller\'s menu as an owner of  the
	account. You will not be  able  to  access  the  domain  name  you  just
	created with dsp_newwebadmin.asp because it needs  to  be  activated  by
	the resadmin; so your domain name should  be  inactive  ;)  (OBVIOUSILY)
	I\'ll explain how  you  can  gain  control  and  execute  code  on  that
	machine.
	

	If you click on directories option on the left handside,  it  will  take
	you to file manager page and  you  are  only  allowed  to  manage  files
	within   <drive>:\\\\webspace\\resadmin\\youraccount\\youraccount.com
	, but the filemanager.asp is also vulnerable, it\'s  vulneralbe  to  the
	infamous dot dot slash bug /../ which allows directory traversal, so  it
	should look something like this :
	

	http://www.victim.com/advwebadmin/folders/filemanager.asp&siteindex=testing&sitename=testing.com&OpenPath=C:\\webspace\\resadmin\\testing\\testing.com\\www\\..\\..\\..\\..\\..\\

	

	You\'ll have the ability to read, delete, rename file  and  upload  file
	anywhere you want. All you need to do now is to  upload  something  like
	ntdaddy.asp or cmdasp.asp  to  some  active  domain  names  to  be  able
	execute commands via web browser. You  can  upload  nc.exe  and  execute
	nc.exe by calling an asp script from  your  browser.  The  possibilities
	are endless.

SOLUTION

	Not yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH