[25485] in bugtraq
Hosting Controller still have dangerous bugs!
daemon@ATHENA.MIT.EDU (hdlkha@yahoo.com)
Fri May 17 12:58:26 2002
Date: 17 May 2002 09:10:51 -0000
Message-ID: <20020517091051.14231.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: "hdlkha@yahoo.com" <hdlkha@yahoo.com>
To: bugtraq@securityfocus.com
-Vulnerable versions: all HC versions.
1.Database directory travelsal:
By adding slash dot dot,the user can view the files,folders
located on the sytem and can add DSN out of user root
directory.
http://www.target.com/admin/dsn/dsnmanager.asp?
DSNAction=ChangeRoot&RootName=D:\webspace\opendnsserver\targ
et\target.com\db\..\..\..\..\
2.Any user can bypass the authority to take control of any
files on the system:
This vulnerability is on the /import/imp_rootdir.asp file
that let any user can copy,delete files,folders on the
system.
The user can easily take control of any files just by
changing the import directory:
http://www.target.com/admin/import/imp_rootdir.asp?
result=1&www=C:\&ftp=C:\&owwwPath=C:\&oftpPath=C:\
-Exploit:By default,advwebadmin is in Administrator group
so any scripts run under /admin directory will have
administrator privilege on the system root.The user can
upload malicious script code to /admin directory and
execute arbitrary command via browser.
-Workaround:looking for the newest patch for HC from
www.hostingcontroller.com
KHA
hdlkha@yahoo.com
http://www.viethacker.net
