Hosting Controller multiple security bypass

hostingcontroller-multiple-security-bypass (39038) The risk level is classified as MediumMedium Risk

Description:

Hosting Controller could allow a remote attacker to bypass security restrictions, caused by improper handling of user supplied input by the addreseller.asp, AccountActions.asp, addsubsite.asp, UNINSTAL.asp, GatewayVariables.asp, choosetranstype.asp, importhostingplans.asp, and AutoSignUpPlans.asp scripts. By sending a specially-crafted URL request, an attacker could change user passwords, profiles, credit amount, pay type, and plans in addition to create new users, uninstall FrontPage extensions, and delete gateway information.

Platforms Affected:

  • Hosting Controller, Hosting Controller 6.1 hf 3.3 and prior

Remedy:

No remedy available as of December 2007.

Consequences:

Bypass Security

References:

  • BugTraq Mailing List, Sun Thu Dec 13 2007 - 06:15:12 CST, Hosting Controller - Multiple Security Bugs (Extremely Critical) at http://archives.neohapsis.com/archives/bugtraq/2007-12/0170.html.
  • Hosting Controller Web site, Hosting Controller at http://www.hostingcontroller.com.
  • BID-26862: Hosting Controller Multiple Remote Vulnerabilities
  • CVE-2007-6494: Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to obtain login access via a request to hosting/addreseller.asp with a username in the reseller parameter, followed by a request to AdminSettings/displays.asp with the DecideAction and ChangeSkin parameters.
  • CVE-2007-6495: inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp. NOTE: this can be leveraged for remote code execution by changing the permissions of \Forum\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \Forum\db.
  • CVE-2007-6496: Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote attackers to register arbitrary users via a request to hosting/addsubsite.asp with the loginname and password parameters set, when preceded by certain requests to hosting/default.asp and hosting/selectdomain.asp, a related issue to CVE-2005-1654.
  • CVE-2007-6497: Hosting Controller 6.1 Hot fix 3.3 and earlier (1) allows remote attackers to change arbitrary user profiles via a request to Hosting/Addreseller.asp with modified loginname and email parameters; and (2) allows remote authenticated users to change a credit amount and increase a discount via an UpdateUser action to Accounts/AccountActions.asp with modified UserName, FullName, CreditLimit, and DefaultDiscount parameters, a related issue to CVE-2005-2219.
  • CVE-2007-6499: Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to uninstall the FrontPage extensions of an arbitrary account via a request to fp2002/UNINSTAL.asp with a host id (IIS) value.
  • CVE-2007-6500: Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to delete gateway information via a request to OpenApi/GatewayVariables.asp.
  • CVE-2007-6501: Unspecified vulnerability in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to enable or disable pay type via a request to adminsettings/choosetranstype.asp.
  • CVE-2007-6503: Multiple unspecified vulnerabilities in Hosting Controller 6.1 Hot fix 3.3 and earlier allow remote authenticated users to (1) import an arbitrary plan via a request to hosting/importhostingplans.asp; or (2) change an arbitrary plan via a request to hosting/AutoSignUpPlans.asp with the (a) save, (b) 30, and (c) d_30 parameters.
  • SA28973: Hosting Controller Multiple Vulnerabilities
  • SECTRACK ID: 1019222: Hosting Controller Multiple Bugs Let Remote Users Gain Administrative Access

Reported:

Dec 13, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page