[24012] in bugtraq
[ARL02-A01] Vulnerability in Hosting Controller
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Mon Jan 28 15:24:09 2002
Date: 26 Jan 2002 18:20:18 -0000
Message-ID: <20020126182018.23125.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/-----------\---------- ALPER Research Labs --------/---
--------/+
+/------------\--------- Security Advisory -------/----------
--/+
+/-------------\-------- ID: ARL02-A01 ------/-----------
--/+
+/--------------\------- salper@pcworld.com.tr -----/-------
-------/+
Advisory Information
--------------------
Software Package : Hosting Controller
Vendor Homepage :
http://www.hostingcontroller.com
Vulnerable Versions: 1.4.1 , 1.4.b and probably
previous versions
Platforms : Windows based servers
Vulnerability Type : Design Error
Vendor Contacted : 23/Jan/2002
Prior Problems : BID: 3808 & BID: 3811
Current Version : 1.4.1 (vulnerable)
Summary
-------
Hosting Controller is an all in one administrative
hosting tool for Windows based servers.
It automates all hosting tasks and gives full control of
each website to the respective owner.
A vulnerability exists in Hosting Controller which could
enable anyone to confirm the validity
of usernames and crack the password's of known
users via brute forcing method.
Details
-------
The site owners' may login to Hosting Controller by
submitting the login form either found at;
http://www.thesite.com.tr/admin/
http://www.thesite.com.tr/webadmin/
http://www.thesite.com.tr/advwebadmin/
http://www.thesite.com.tr/hostingcontroller/
¤ These paths are the most common ones for
Hosting Controller login page.
If a non-existing username is entered, the form
returns the message:
"The user name could not be found".
Anyone can try this login process for finding an
existing user name. When an existing username
is entered, but the password supplied with it was
incorrect, the form returns the message:
"The user has entered an invalid password".
So now, the attacker may launch a brute force attack
on the password entry, for the known username.
I should point out that, generally domain names or
related variations are used as usernames in
Hosting Controller. So it is even possible to easily
predict the username.
Once logged in, the attacker will have total control
over the web site.
Solution
--------
The vendor replied within 12 hours after the contact,
stating they would release a patch within
1-2 weeks which will probably be based on the first of
the below suggested solutions.
Hosting Controller managers were highly responsive
to this advisory submission and acknowledged
the security vulnerability in the Hosting Controller
programme.
They responded quickly and professionally which is a
really good action that every vendor should
take in such occasions.
1. A practical solution might be limiting login tries
from the same IP, on a time basis.
Eg: 3 wrong password entries from the same IP
within an hour, may trigger such a protection.
2. The login form might return a message like "Wrong
username or password", if either of the
username or the password entry is wrong.
3. Assignment of hardly guessable usernames and
passwords, and changing of passwords in a period
of time might also be a quick idea.
4. Also the path to the Hosting Controller might be
changed to a non-default path or perhaps the
path might be named with random character
sequences.
Credits
-------
Discovered on Jan 23, 2002 by Ahmet Sabri ALPER
<salper@pcworld.com.tr>
Ahmet Sabri ALPER is the System Security Editor of
PCLIFE Magazine.
References
----------
Product Web Page: http://www.hostingcontroller.com
