Hosting Controller admin privilege escalation

hosting-controller-admin-gain-privileges (27340) The risk level is classified as MediumMedium Risk

Description:

An unspecified vulnerability in Hosting Controller could allow a remote authenticated attacker to gain host administrative privileges on the application.

Platforms Affected:

  • Hosting Controller, Hosting Controller 6.1 Hf 3.2 and prior

Remedy:

Upgrade to the latest version of Hosting Controller (version 6.1 Hotfix 3.2 or later), available from the Hosting Controller Web site. See References.

Consequences:

Gain Privileges

References:

  • BugTraq Mailing List, Fri Jul 07 2006 - 10:31:51 CDT , HostingController: An attacker can gain reseller privileges and after that can gain admin privileges at http://archives.neohapsis.com/archives/bugtraq/2006-07/0085.html.
  • Hosting Controller Web site, Hotfix 3.2 Release Notes at http://hostingcontroller.com/english/logs/hotfixlogv61_3_2.html.
  • Hosting Controller Web site, Hosting Controller at http://hostingcontroller.com/english/.
  • BID-18565: Hosting Controller Addreseller.ASP Privilege Escalation Vulnerability
  • CVE-2006-3147: Unspecified vulnerability in Hosting Controller before 6.1 (aka Hotfix 3.2) allows remote authenticated attackers to gain host admin privileges, list all resellers, or change resellers' passwords via unspecified vectors. NOTE: due to the lack of precise details, it is not clear whether this is related to a previously disclosed issue such as CVE-2005-1788.
  • OSVDB ID: 26693: Hosting Controller Unspecified Authenticated Privilege Escalation
  • SA20743: Hosting Controller User Permission Verification Vulnerability
  • SECTRACK ID: 1016444: Hosting Controller Access Control Bugs Let Remote Users Gain Reseller and Administrative Privileges
  • VUPEN/ADV-2006-2459: Hosting Controller Unspecified Variable Handling Privilege Escalation Vulnerability

Reported:

Jun 20, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page