19th Mar 2002 [SBWID-5190]
COMMAND
Hosting Controller directory traversal remote exploits
SYSTEMS AFFECTED
Tested on Hosting Controller, Windows 2000, version 1.4.1 with all
patches applied
PROBLEM
Phuong Nguyen posted :
Bug #1
File_editor.asp allows clients to edit their web pages online, without
the need to download, edit the pages and re-upload using FTP.
File_editor.asp is vulnerable to the /../ which allows attacker to
breakout his root path and edit any files on the hosts.
Bug #2
Folderactions.asp is also vulnerable to dot dot slash /../, allows
attacker to create, delete, files, directories on the server at his
choice. This is rather dangerous because Hosting Controller does not
perform proper permission checking and user right checking so the
attacker can delete anything he wants, the current patches from Hosting
Controller do NOT fix this.
If you combine those two bugs together then you actually can compromise
the server.
SOLUTION
Patch (NOT official) :
Here are fixed version of folderactions.asp and file_editor.asp. All
you need to do is replace your old *.asp files with these one.
--0-1224384856-1016491454=:63792
Content-Type: application/x-zip-compressed; name=\"fix.zip\"
Content-Transfer-Encoding: base64
Content-Description: fix.zip
Content-Disposition: attachment; filename=\"fix.zip\"
UEsDBBQAAAAIAApsbiw4BYeFtQYAAAwdAAARAAAAZm9sZGVyYWN0aW9ucy5h
c3DtWVtv4kYUfiZS/sOJqyRQEQhJt30opuXiZCMRSIHuqlKllbEH8K7x0PE4
Wf59z5yxjQmXBJao+1CUxJ7xOd+c6zeDUz39Hdp2MI7sMTM/NPqO8GYSTmvH
R9WTi4sfvMDxI5fBzV3bMo1Sqezw6ZQHZZz/FLIw9HjgTJjzpWSHM+Pi4jVq
fa32wRakBFrr9Pjo/OJtP7hCLnfj+WgW910mbEeiHaGyAh+B/uhJgMUMVKDu
ulqFIK6gxXwmExiau4YeC+xpZi5W/gks15Mwomkg2cF8xmCk/tKwAkvYZODx
0fFRruVNoU7mxINYh+4D9tTB9XCEP1oKTDTin4iFsvRHxMS8L4UXjPOGdsko
aFlvFINCtYauyQlT8DnC3oRADwmABS54I43ExZhc3qDkekI9JrXzH/f4JHoQ
MicSnpwDlZpaOmQYUgwUH37G5UMmHpkoNQWzJesOPzNH5g1dyWhJSUW0Pw8l
m+pnZFEoBVmL6kaI6XQk9DiXD7acwEhwjLw79YJPbS+U8DRhgoEKt3lunEFc
wHmDRDrkI5wZ50ZsmEOpWGtUvdVtNUpNHgRskRSUL3VnLID6bOZ7ji0JfCFU
+bS418HVHuBSIqxsX6rHHC7cPtNOo7heKfG+iGsXK8XruDDUc6t7kxaFGjd9
HqoyIzPTQY+FM+wdVvqIiWEpHpyBUR2KmrFGxhhMUHDGHG/kMRdmKtJPdggB
p5CNvCnOSg5DBlGgmgWtAEy8YIEEn4+9ACL0NASXT20cnMDyKlbgqgL1tYHo
jQLOx1VS0j1mfcV8hnkVA5XpQiF1ddnXZWdXPNFg8OShC3LihdoZlzPtDVOr
AFaB8qDb13Y+NzRupVwutjZ/p5KbmlY0/i6VsK6wSS+hAFysCpSzAnv5gUuA
p222fZ8/YQIwsORMEt4NZqs79esO064xAWtzmlfr33jMd8O8kTwzCoWNfi4Q
CgixtytriivNxwidy9SUriLBeULLJxBymPMINUh+Yj8y3Agc7HNVkEpHIMN5
ApEFC3kkHPaK+JDL6TDrTNaVvaiRyJHw8aev6cuxQ7bYL3JNNcxsXfntJF1I
dWh7e4HSi8lWpFVo93uVSnGtULyZGQsj3pHh2LuvMFuFWMdAxwM30pfj900f
XAHNgw57iitI7fdOBabMDrBkJrakopG2GLN077d95Gd3rtkhJI2r5xqZosSL
Lte4qp1kfplmCOcyeebQFuBCGFH1jiLfn5PENTAhEJA7yKi6zUlWnQP4iNZJ
PDk+GkWBPiEsikdfqEvpbIIPNSD2Q4RngIB9VdGnU4pm3HikmlspPxveuV91
sr59J89AIgKxS489ZixGKl0SRKk2G8msRAbjoqJkkajW7hyJ4IKlULLD5fp9
JhO1DK0lotrLdQHOEawlRCmIpkPMqyLGVH9BOT2GjaB631CYUzvAQzydqn9T
afGl6VyeJURrGrg5Z7KRS7fKnQCvtwGm1JdC74Bc2YycAie4O8BebYTNnGXV
bVL1/9PHIelDUfj/5PFa8sDrDtQxwLitBvgF8kgh1PkjPqTs1Kjy0Jwi34xT
5NtwivwOOYVYBVz9YsLOdL16ncDFuvbEY162jOl89n01aO6tOjRuUuWxmXkJ
sqlxM/212ov6ZZAWWenE1xeVu6Wt9ih9d5fST2KBobtaOJiNxlpiWsMqcTDW
kdJWVjpQoLIEtAvk5oZeoqC96G1bJrL0liblv6WQ+D2mTblXEyI9HigaUXQi
SMSlh5VnDAMOj7AH1QFjuCx59Vzy+UkkQ01oxAo1FeNviYekKDWDxzC1yEEI
6634KrZRvWpNtM4AcfDv0ovgg5HaPX+MKQ0ydi1CtambVWvs2iDi0AcK8XLH
wfF+tCq2MEXmhd7hiZUS4qX/u1hJx6HYdWsy9mPXren4VnbdlpAX2HWFYI+P
6P9e7wf3bbpa9Za63luDOnTq95Zp3Fodq1cfdHsGNHkgWSBN495zBA/5SMIH
L4xsH/oycj0OP5cuDaVeTnAa3dZfeM1Vm6jHBN0O6o22BR/vWoP35i/vTqFx
2+y2uz2z7/nIPNDo9lpWT081fNv5AvX23W3HdAghfmxWoGm12/2HevOucxuP
HuqtFo30Mj11wWsLv0d648A0NIJB07nqsFYdoT9I3j4XpkFLGbUehbhaVo9q
1fJQY5QHLcIsa9AM9nowTKFRqwfwZ7B4P2sRdXf1t8kiPPhMvfS75TBUPg7n
9I1S30dS6i+ZQ8GfQvUKl4MUc7DHthecbDcOLyq+NZXa6kPtLBiGs1+r5Qc9
UY4TghnSGf8XUEsDBBQAAAAIAA9sbiycifHD5gkAAEEfAAAPAAAAZmlsZV9l
ZGl0b3IuYXNwtVnpc9s2Fv/MzOh/gNGxLXVlynLSPRrJO66PTGaSyLXczZfO
ZCgSlJBQBBcAfbTT/33fw8FDh6t4U0eWCeDh3e+HB2a0d3T0Hc/jrEwYuXr7
7nJMw3AQi+VS5AOY/6SYUlzksci1FFkYqYKSo6PTzovRrjsXLP5i9u22bWq3
/SeSTWH7nRfBuciVJreSKx1p9otiFyyNykyTMTk66VcLt7JkODWsp66iTOHc
ccXlSsgbFiU8n8M0UML4o+Tajk/M+KwoWO4oXsJG+FzwJTmLNajnRynPGPqG
5Vo1pvJoydxQyHljhI+w7EaaLQu3aD+OGCTesP+WTOnw55LJx6mWoEeXJlzi
Mu0B6eH3z/jx+4hicQn2PhITHhStmDaqi9lnEK+YvGMyPJcM3DeZfWax7tJp
LHmBPgqvgHD6qEB/u2Y0UloabWE7VWBlrMmNEPo60guSSgGuS5Y8//QOYkLu
F0wy8gGMGR/SA+KC3qWG5IOxkRzQQ+oUAxdvU+rsYnLxUwhRzZmJjFEF6MMJ
hI9AEDMeR9owr4mGn+pn61xrAYiSavi0qBsIuEymzBoN5FaSt74PsvvD/kv0
KU+RXXg5uSJ6YaJu6M8zoTDmRs1qcMNUAbnJQkxEVvEjB4SOZvKUbqChtwsg
LFjMU84SUqCn7yNFcmFclvIlzGpBZoyUecIkakEg8BLSlWRiznNSgqWKJGIZ
wWCPtKVc5gmMWWYVBGuQcddlSXglMuB5+QDxVF30AUa616tMbdvaNnbNEsuM
3HMwQS+4ssYkgllrGEohkAVowWRq9VxVNIB6JTwNAqdt9y0Gt1KtT38NQ8ir
0Sk5Jj0ozHWCQZPgWXaACMKtzlGWiXsIADjWGOPdu0VtfMLfZFZVzZhAbi67
KP+KsyxRXerXaK+31c6aQw9B77mmbEiuKh4pGNfIKZtFUuCKCeQeUYI8ihJ2
GPpFdMdIFMdQ55iQuEcCwnEJnCVTopQx28E/xuRq2DSmacqzoBGxEes/mQlT
7ifguqlFgdiggHgKcIJq23NwJ5j+/A5Rc2pR83sLlx/ZbIqBsFj5EZ8/2MMB
IBNHb8H/Dw4lAwAkYqB1XJsQXj4AzmvWBf7mzEADL2aODGCtIsBV+GDe3N/f
u+RDujBtJN4Fl0bfWkDsXO485x0HIV+AcTVT5GjUhUWTrTfsrtuQBrUJT4Z5
I/vfsVS3qFqsjoZOa/i4c9XsybvuGPXcEFveJi3RjgLEGpk/RYo5BHJSPYFJ
asxpnqBAk4BTFp/jsYkZouW5WBZdpMIK6ZMZsLI10HNHAJy1sSMf+kqUPsWh
AKAIIOgUYXUZ5dGcmc7n376cx5T8zWgBTkARVQUElfVbhHgO2E5s2G/3+h4E
ifh8UVvuXXpEGj6sPe7bHAQpx+LQMvDDfuXtaoYq/hsc7Y6LbaW2NTuRq67a
xnNEuY20hWR3nEH+IODRIa0AD39NZ/P8tsbsn6QTwwD5mAq/ZQ8aybsUjfvH
3394FeoHTft1Y+nwudkhYtEhoxBJzrIM1+2Er6PACLgAx0PXus6+52zCI9lw
d4gRQ9K5ztR6KwjOceoVWRF/mXCNU5vdWPWXLkAmUawIL9hlTufF80D2a35A
htGXRGTO7yATUXHSeZGWuU2cyhj0lDnuULEAVpiUcLxDkZWQoDmEqlP35uBg
N/J5vTKENPfkNW0KPmIR5kXgZ6yP/v++ubMVpSwkOXz81RNDJVQtGPx1DVjl
A5P7jczHrHXkb5jN2Ya/gko20oXXEfaGVm5nBWh2l2u/GnX3pAKWsPJvs8rO
FNaZXerWpdVfvwRaTodeUKtE29J81qCcSmizIq32YO2llGFeLmdwKpiW0Bho
FoPGzrqBCg6rzuVmK6xjUmZ6zIYHDYA/aOZiq+ExX5ukderG/CuknmyV2jgT
8NEXmamozot9vIQv9DI7xYnRAryFM5rrjJ2if00xCjka2ClYWzIdmfvumL65
/HB5c3Y7uaHEYdGYvuexFEqkcBeXMHcNqpKX4THFrcoUDMmifF7C/Jh+ju4i
O4nrFQAo6CqjPEGe3VQuIb6/g7bwFEb+aKHM6GXHyvgiXgges/GQvnbEqpwt
ue72YPzHOnfnRi8g2F3CyRYJDRlxlMcsixdgKVMNG+4iaYoGD+zXbjyR82s3
9EuYw8De4XZ4F2Ule22r1bRIQ1d7SBtmkdJmdpJ2DZy8tkXddaR7+NIEawQV
CJy0JgOwQtmT4rhv9/ReO2xYcclq+rV6mYYdq84J/qjT2mgRZUwCgpKzHKsR
MN1cpqTC1zJ4iTCFbDyxgHsvXDBKaKj65DpjePxBs61BKUNZSDGX0ZLAQZII
uWethz5MlzI3koN29JEz9hRbE8v1HEhnbHRBMCZuDMp6IowGNqkx5zOef4ET
KxtTpR8zphaMaehjHgvgqAHJBrFSlCwkS+0bM6UGegbIGeI8Mhi4ooTHmUge
cSoVculKENUEBSiBslyIZEwLoYC/NWe8nsOGJc+LUjsdFjxJWE4dO98pEGPd
mI72x093FPunhmPC7+BezOcgMgYYYJKejuyD1VxHMwjoTEg4f8b0BPCCZVkR
JYj6ZnzPE0yj4fHxPniDYcMJo5ewMpvHIhOw67sr80MdGz97bH5QC0JGWpq/
+JRs5nkybLL0m0fFmvopJBlZFZ1GUP/0TPIoAxKoGpHPT0cz7r6aiLnFc1VL
u386GpiN7tszG6Bg+KMTa9LA2bSDbcPhCWj1RCxW4nD8J3Go/XR+jP+oU6Cp
zCaFGkuwWBi3NKfwuvtjKwuxEnwO3g6b6YcJjvOQaARvGWP6EuM1KBpCGpp4
t7mB3FHjDSnRsuEpnxZfkyuAmNK8PlDrES/aMgdewACk72htm+LrotQKyKzU
Gm5pJIbTRY1hlPuYTPGVj0l0OEQNFPO8ZASRBt97uCBO6yOcEpHHGY+/jKmF
5db5ji8FQwS03opCu2lzbcuJYJ/hZfsSW5NbYX9T6LdOpebSczzqdNXCHoLu
uF3x63s/u8W1vrnZ7N0d9XojyCyKv6AqRrv3bVVsj7OuQrv32aLBnzg3CMx/
DQVBAjeySaFvTJ8LY9Jp3EPqO/JGqLXNsb1cB4Ghowowr+KHx72xDL0KN+LS
vMhMyyx7pK1Nw5VNv+QGR8Ex6O9Gx2L7Ey0fSTSPeL7XYlOssjGyXbY2pLd2
YdfU3kU+iBxyveNvFKq6yO/vhHDQLj3+VfDmtBQpqYGO/EgAxysT9jecdd8A
+ewAHjEy1ajF6Hln6jc9UT3XVz+82vUwrfe8+uembujOaaZFQb2W0BPCjcpz
bPgN2cNRG8G1k0hxr0DDY1/P+sHcn/Eul8HCv/CYteevf9GEofPbvxo3/4rQ
bDi2w1VWtdy1vML8k0vz4FvrgbsM/w9QSwECFAAUAAAACAAKbG4sOAWHhbUG
AAAMHQAAEQAAAAAAAAABACAAtoEAAAAAZm9sZGVyYWN0aW9ucy5hc3BQSwEC
FAAUAAAACAAPbG4snInxw+YJAABBHwAADwAAAAAAAAABACAAtoHkBgAAZmls
ZV9lZGl0b3IuYXNwUEsFBgAAAAACAAIAfAAAAPcQAAAAAA==
--0-1224384856-1016491454=:63792--
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
