[UNIX] Hosting Controller Directory Traversal Madness

From: support@securiteam.com
Date: 03/23/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 23 Mar 2002 18:10:29 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Hosting Controller Directory Traversal Madness
------------------------------------------------------------------------

SUMMARY

 <http://www.hostingcontroller.com/> Hosting Controller is an all in one
administrative hosting tools for Windows. It automates all hosting tasks
and gives full control of each website to the respective owners. Multiple
security vulnerabilities have been found to allow attackers to edit,
delete, create, move, etc any file they desire on the remote server.

DETAILS

Bug #1
File_editor.asp allows clients to edit their web pages online, without the
need to download, edit the pages and re-upload using FTP. File_editor.asp
is vulnerable to the /../ that allows attacker to breakout his root path
and edits any files on the hosts.

Bug #2
Folderactions.asp is also vulnerable to /../ traversal, allows attacker to
create, delete, files, directories on the server at his choice. This is
rather dangerous because Hosting Controller does not perform proper
permission checking and user right checking so the attacker can delete
anything he wants, the current patches from Hosting Controller does not
fix this.

If you combine those two bugs together then you actually can compromise
the server.

ADDITIONAL INFORMATION

The information has been provided by <mailto:dphuong@yahoo.com> Phuong
Nguyen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Vulnerability in Hosting Controller (Username Detection)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Hosting Controller is an all in one ... The site owners' may login to Hosting Controller by submitting the login ... If a non-existing username is entered, ...
    (Securiteam)
  • [NT] Hosting Controller Multiple Security Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Hosting Controller has a security flaw that allows outside attackers to ... The dsp_newwebadmin.asp script can be executed by typing: ... execute commands via the web browser. ...
    (Securiteam)
  • [NT] Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (MS03-044)
    ... Get your security news from a reliable source. ... A security vulnerability exists in the Help and Support Center function ... *Microsoft Windows Millennium Edition ... An attacker could exploit the vulnerability by constructing a URL that, ...
    (Securiteam)
  • [UNIX] Security Analysis of VTun
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can modify ... Packet forwarding: ... password) as encryption key. ...
    (Securiteam)
  • [REVS] Security Considerations for Web-based Applications
    ... Get your security news from a reliable source. ... consequences of this ranges from the erosion of customer confidence in the ... of poorly implemented host naming procedures or web-application URL ... The attacker may choose to inject ...
    (Securiteam)