Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Phuong Nguyen (dphuongyahoo.com)
Date: Sat Jan 05 2002 - 09:06:49 CST
Hosting Controller - Multiple security vulnerabilities
Release Date: 01/04/2002
Hosting Controller is an all in one administrative
hosting tools for Windows. It automates all hosting
tasks and gives full control of each website to the
respective owners. Hosting Controller is used widely
by many hosting providers.
More informations at http://www.hostingcontroller.com
Vulnerable version: 1.4.1 and probably all other
Vulnerability (1) - Directories Browsing
Hosting Controller has a security flaw which allows
outside attackers to browse any file and any directory
on that server without any authentication. You're not
allowed to read files. However, I believe the second
vulnerability (explained below) will allow you to take
control of the server.
Example: Scripts that allow you to browse anywhere on
advwedadmin is the path to hosting controller script,
replace advwebadmin with something else if necessary ,
for example /admin/ or /hostingcontroller/
Vulnerability (2) - Dot Dot Slash bug and
The dsp_newwebadmin.asp script can be executed by
which allows you to create a new domain name and a new
account without the need of logging in as
administrator. Login to the hosting controller after
your account has been created by using the
dsp_newwebadmin.asp. Once you have logged in, you
should be able to use all of the options on the
hosting controller's menu as an owner of the account.
You will not be able to access the domain name you
just created with dsp_newwebadmin.asp because it needs
to be activated by the resadmin; so your domain name
should be inactive ;) (OBVIOUSILY) I'll explain how
you can gain control and execute code on that machine.
If you click on directories option on the left
handside, it will take you to file manager page and
you are only allowed to manage files within
, but the filemanager.asp is also vulnerable, it's
vulneralbe to the infamous dot dot slash bug /../
which allows directory traversal, so it should look
something like this
You'll have the ability to read, delete, rename file
and upload file anywhere you want. All you need to do
now is to upload something like ntdaddy.asp or
cmdasp.asp to some active domain names to be able
execute commands via web browser.
You can upload nc.exe and execute nc.exe by calling an
asp script from your browser. The possibilities are
Vendor has been contacted.
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!