Hosting Controller Multiple Unauthenticated information disclose

From: small mouse (small.mouse_at_gmail.com)
Date: 03/07/05

  • Next message: Dragos Ruiu: "Security Masters Dojo" 
    Date: Mon, 7 Mar 2005 14:13:59 -0800
To: vuln-dev@securityfocus.com

                                      -= Security Advisory =-

    Advisory Information
    -------------------------

    Software Package : Hosting Controller
    Vendor Homepage : http://www.hostingcontroller.com
    Platforms : Windows based servers
    Vulnerability : Multiple Unauthenticated information disclose
    Risk : Low
    Vulnerable Versions: All version ( Tested on: v.6.1 Hotfix 1.7 )
    Vendor Contacted : 3/6/2005
    Release Date: : 3/8/2005

    Summary
    ------------

    Hosting Controller is a complete array of Web hosting automation tools for
    the Windows Server family platform.

    (1)
    the product have a feature which logs site updates and check this
    periodically. this log is saved in a .CSv format and storage path
    is in web-root of server. to name some of saved information in this CSV
    file , bandwith report and disk usage report are written in "comment" filed.
    as this is a general ( not domain specific ) log , reports of EVERY
    HOSTED DOMAIN
    on the server are logged here . so by reviewing this file , you can enumerate
    all domain names that are hosted on this server .

    Exploit :

    http://[target]/admin/logs/HCDiskQuotaService.csv

    (2)
    There is a password recovery feature in Admin login page of Hosting Controller ,
    which send back your password to registred e-mail address saved in system.
    if you know the site domain name , and remove the .com/.net/.* part
    and submit it as the asked "login ID" , Hosting Controller will disclose the
    hosting owners e-mail , which is not usually the one , mentioned in
    site itself ;)
    mix this bug with (1) and have fun :)

    /admin/forgotpassword.asp

    when does these comes usefull ?

    my own scenario :
    I had to penetrate into a site . well , server had no special remote
    flaw and web-site
    itself hadn`t any bug to use . I used this trick to find a vulnerable
    web site on same server
    and used it`s flaws to gain access to my final target ...

    Solution
    ----------

    The vender was notified, they have released a patch.
    Update Your software

    Credits
    ---------

    Discovered on 10 Apr 2004 by (\/) Mouse and Hamid Kashfi
    Mouse@Shabgard.org
    hamid@hat-squad.com

    References
    -------------

    http://isun.Shabgard.org/hc2.html
    http://isun.Shabgard.org/hc2.txt

  • Next message: Dragos Ruiu: "Security Masters Dojo"

    Relevant Pages

    • Hosting Controller Multiple Unauthenticated information disclose
      ... Software Package: Hosting Controller ... Vulnerability: Multiple Unauthenticated information disclose ... the Windows Server family platform. ...
      (Bugtraq)
    • Hosting Controllers - Multiple Security Vulnerabilities
      ... Hosting Controller - Multiple security vulnerabilities ... Vulnerability - Directories Browsing ... you can gain control and execute code on that machine. ... vulneralbe to the infamous dot dot slash bug /../ ...
      (Bugtraq)
    • [ARL02-A01] Vulnerability in Hosting Controller
      ... Software Package: Hosting Controller ... Vendor Contacted: 23/Jan/2002 ... A vulnerability exists in Hosting Controller which could ... If a non-existing username is entered, ...
      (Bugtraq)
    • Hosting Controller
      ... Software Package: Hosting Controller ... Vendor Homepage: http://www.hostingcontroller.com ... Hosting Controller is a complete array of Web hosting automation tools for the Windows Server family platform. ... Vulnerability - Directories Browsing files on the system. ...
      (Bugtraq)