OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: hdlkhayahoo.com
Date: Fri May 17 2002 - 04:10:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) -Vulnerable versions: all HC versions.

    1.Database directory travelsal:
    By adding slash dot dot,the user can view the files,folders
    located on the sytem and can add DSN out of user root
    directory.
    http://www.target.com/admin/dsn/dsnmanager.asp?
    DSNAction=ChangeRoot&RootName=D:\webspace\opendnsserver\targ
    et\target.com\db\..\..\..\..\
    2.Any user can bypass the authority to take control of any
    files on the system:
    This vulnerability is on the /import/imp_rootdir.asp file
    that let any user can copy,delete files,folders on the
    system.
    The user can easily take control of any files just by
    changing the import directory:
    http://www.target.com/admin/import/imp_rootdir.asp?
    result=1&www=C:\&ftp=C:\&owwwPath=C:\&oftpPath=C:\

    -Exploit:By default,advwebadmin is in Administrator group
    so any scripts run under /admin directory will have
    administrator privilege on the system root.The user can
    upload malicious script code to /admin directory and
    execute arbitrary command via browser.

    -Workaround:looking for the newest patch for HC from
    www.hostingcontroller.com

    KHA
    hdlkhayahoo.com
    http://www.viethacker.net