Hi,
Here's my new advisory about Hosting Controller.

Phuong

Hosting Controller - Multiple vulnerabilities
Date: 01/04/2002

Summary
-------

Hosting Controller is an all-in-one administrative
hosting tool for 
Windows.
It automates a wide range of hosting tasks and
provides control of each
hosted site to the respective owners. Hosting
Controller is now widely 
used by
hosting providers and can be found at
http://www.hostingcontroller.com.

Systems Affected: Only the latest version,
HostingController 1.4.1, was 
tested. (Probably all prior versions)

Vulnerability 1 - Browsing Non-public Directories
Allowed
Vulnerability 2 - Dot Dot Slash bug and
autosignup/dsp_newhc.asp

Impact: An attacker may be able to browse directories
not intended to 
be publically accessible and upload scripts to
manipulate files and 
control administration of sites using the latest
version of HostingController.

Vendor contacted.


Details
-------

Vulnerability 1 - Browsing Non-public Directories
Allowed

Hosting Controller has a security flaw which allows
outside attackers 
to browse any file and any directory without
authentication. Files can't be 
read, however the second vulnerability (explained
below) would allow you to 
compromise the whole server.

Sample scripts that allow browsing anywhere on the
server:
http://www.eg.com/hc/stats/statsbrowse.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/serv_u/servubrowse.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/adminsettings/browsedisk.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/adminsettings/browsewebalizerexe.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/SQLServ/sqlbrowse.asp?filepath=c:\&Opt=3

The directory "hc" is an example of the path to the
HostingController
script on the sample domain. The actual "hc" directory
name -- such as 
"admin" or "hostingcontroller" -- must be discovered
for each "eg.com" 
and 
replaced in the above URL scripts.


Vulnerability 2 - "Dot Dot Slash" bug and
autosignup/dsp_newwebadmin.asp

The dsp_newwebadmin.asp script from Hosting Controller
can be 
executed 
by using, eg:

   
http://www.eg.com/hc/autosignup/dsp_newwebadmin.asp

This allows an attacker to create a new domain name
and a new account
without logging in as administrator. The attacker can
then log into
HostingController after the new account has been
created using the 
script dsp_newwebadmin.asp.

Once logged in, the attacker can use all
HostingController menu 
options, as owner of the new account. The new domain
name you just created, 
cannot yet be accessed because it needs to be
activated by the "resadmin". 

To gain control of administration and execute
arbitrary code on the 
hosting server, the attacker need only click on the
HostingController's 
"Directories" option on the left-hand side  which will
lead 
to the "File Manager" page allowing and you are only
allowed to manage files 
within
<drive>:\\webspace\resadmin\youraccount\youraccount.com

But the filemanager.asp of HostingController is also
vulnerable to 
the well-known "dot dot slash" bug /../ allowing
directory traversal, via a 
script URL such as:

    
http://www.eg.com/hc/folders/filemanager.asp&siteindex=testing&sitename=
    testing.com&OpenPath=
   
C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\

The attacker then is able to read, delete, rename and
upload files 
anywhere on the eg.com server. For example,
ntdaddy.asp or cmdasp.asp can be 
uploaded to active domain names so that the attacker
can execute commands via
web browser. With a little bit of work, the attacker
can also upload nc.exe 
and called nc.exe from an asp script ... Thereafter,
the site is of course toast.

Vendor contacted.


__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/