TUCoPS :: Web :: Servers :: alabanza.htm

Alabanza add domain without password 
Vulnerability

    Alabanza

Affected

    Alabanza

Description

    Weihan Leow found following.   He discovered a serious bug  in the
    control  panel  that  can  really  bring  a webhost to it's knees.
    This  hole  is  for  the  control  panel  of  all  Alabanza  based
    resellers/hosts.   There could  be more  bugs but  Weiham did  not
    take the time to find them yet.  This is serious enough since  you
    can delete all resold domains for a particulr webhosting  company.
    You  can  also  change  the  default  MX  and CNAME records of all
    associated domains.

    By copying the  following url to  *most* alabanza host  resellers,
    you have  the ability  to add  a domain  to their  NS without  the
    control panel user name and password:

        http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm

    The above link has been broken  to prevent abuse.  If you  are  an
    Alabanza based host/reseller, you can easily fix it.

    This has been tested this on multiple domains and so far, most  of
    them  worked.   You  can  substitute  domain.com  for any Alabanza
    host/reseller domain and for the  domain you want DNS set  up for,
    substitute  HAHAHA.org  for  it.   Weihan  also  changed the IP to
    localhost instead of whatever was in there.  The IP you put  after
    IP= is the ip the domain will resolve to.

    Here is an  example after typing  in the above  fixed link with  a
    proper Alabanza domain in the beginning.

        Name Server Manager
        Domain HAHAHA.org will be added within 1 hour!
        Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!

    Please click here to go back.

    After the submission of the domain,  you are even given a link  to
    take a look at  the changes to be  made.  From this  page, you can
    delete as well as modify all associated domains:

        http://www.domain.com/cp/rac/nsManager.cgi?Language=english

    *Again, it's  been broken*   Again, no  user name  and password is
    required.  Serious damage to a host can be caused through this.

Solution

    If you would like to get it fixed, you better email the admins  at
    Alabanza.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH