[16889] in bugtraq
Re: Major Vulnerability in Alabanza Control Panel
daemon@ATHENA.MIT.EDU (Weihan Leow)
Mon Sep 25 12:01:13 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.4.05.10009251052420.10648-100000@callisto.acsu.buffalo.edu>
Date: Mon, 25 Sep 2000 10:53:02 -0400
Reply-To: Weihan Leow <wleow@BUFFALO.EDU>
From: Weihan Leow <wleow@BUFFALO.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.05.10009241605290.16567-100000@xena.acsu.buffalo.edu>
I meant 09-14-00.
Sorry for the confusion.
On Sun, 24 Sep 2000, Weihan Leow wrote:
> Vulnerability: Ability to add/modify domains in name servers of webhosting
> companies who are reselling for Alabanza.
>
> Vendor Contacted: Yes, 09-14-99 - Hole still exists.
>
> ==========================================================================
> Hello everyone, I currently discovered a serious bug in the control
> panel that can really bring a webhost to it's knees. This hole is for the
> control panel of all Alabanza based resellers/hosts. There could be more
> bugs but I did not take the time to find them yet. This is serious enough
> since you can delete all resold domains for a particulr webhosting
> company. You can also change the default MX and CNAME records of all
> associated domains.
>
> By copying the following url to *most* alabanza host resellers, you have
> the ability to add a domain to their NS without the control panel user
> name and password:
>
> http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm
> *The above link has been broken to prevent abuse. If you are an Alabanza
> based host/reseller, you can easily fix it*
>
> I have tested this on multiple domains and so far, most of them worked.
> You can substitute domain.com for any Alabanza host/reseller domain and
> for the domain you want DNS set up for, substitute HAHAHA.org for it. I
> also changed the ip to localhost instead of whatever was in there. The ip
> you put after IP= is the ip the domain will resolve to.
>
> Here is an example after typing in the above fixed link with a proper
> Alabanza domain in the beginning.
>
> Name Server Manager
> Domain HAHAHA.org will be added within 1 hour!
> Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!
>
> Please click here to go back.
>
> After the submission of the domain, you are even given a link to take a
> look at the changes to be made. From this page, you can delete as well
> as modify all associated domains:
>
> http://www.domain.com/cp/rac/nsManager.cgi?Language=english
> *Again, it's been broken*
>
> Again, no user name and password is required.
>
> This is one of the exploits I have currently found in the control panel.
> I have not looked further since this notice should make everyone aware of
> what potential problems can exist. Serious damage to a host can be caused
> through this.
>
> If you would like to get it fixed, you better email the admins at
> Alabanza. It's been more than a week since I have contacted them and no
> fix yet. Hopefully, this will speed them up.
>
> Weihan Leow
>
>
