Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: win5350.htm

Hosting Controller multiple vulnerabilities



21th May 2002 [SBWID-5350]
COMMAND

	Hosting Controller multiple vulnerabilities

SYSTEMS AFFECTED

	Hosting Controller 1.4.1

PROBLEM

	KHA and BAODAINHAN [http://www.viethacker.net] posted :
	

	

	 Database directory traversal:

	

	By adding slash dot dot,the user can view the files,folders  located  on
	the sytem and can add DSN out of user root directory.
	

	http://www.target.com/admin/dsn/dsnmanager.asp?

	DSNAction=ChangeRoot&RootName=D:\\webspace\\opendnsserver\\targ

	et\\target.com\\db\\..\\..\\..\\..\\

	

	

	 Any user can bypass the authority to take control of any 

	 files on the system:

	

	This vulnerability is on the /import/imp_rootdir.asp file that  let  any
	user can copy,delete files,folders on the system. The  user  can  easily
	take control of any files just by changing the import directory:
	

	http://www.target.com/admin/import/imp_rootdir.asp?

	result=1&www=C:\\&ftp=C:\\&owwwPath=C:\\&oftpPath=C:\\

	

	Note : By default,advwebadmin is in Administrator group so  any  scripts
	run under /admin directory will  have  administrator  privilege  on  the
	system  root.The  user  can  upload  malicious  script  code  to  /admin
	directory and execute arbitrary command via browser.
	

	-Also-
	

	If admin  doesn\'t  change  or  delete  user  AdvWebadmin,  the  default
	password of this user is advcomm500349, you can creat your  own  account
	or use this account to hack the server.
	

	A foolish vulnerability, i can view  the  harddisk  by  using  the  file
	browse.asp in directory admin
	

	www.victim.com/admin/browse.asp?FilePath=c:\\&Opt=2&level=0

	

SOLUTION

	Patch available ?? check :
	

	 http://hostingcontroller.com

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH