Vulnerability: Ability to add/modify domains in name servers of webhosting companies who are reselling for Alabanza. Vendor Contacted: Yes, 09-14-99 - Hole still exists. ========================================================================== Hello everyone, I currently discovered a serious bug in the control panel that can really bring a webhost to it's knees. This hole is for the control panel of all Alabanza based resellers/hosts. There could be more bugs but I did not take the time to find them yet. This is serious enough since you can delete all resold domains for a particulr webhosting company. You can also change the default MX and CNAME records of all associated domains. By copying the following url to *most* alabanza host resellers, you have the ability to add a domain to their NS without the control panel user name and password: http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm *The above link has been broken to prevent abuse. If you are an Alabanza based host/reseller, you can easily fix it* I have tested this on multiple domains and so far, most of them worked. You can substitute domain.com for any Alabanza host/reseller domain and for the domain you want DNS set up for, substitute HAHAHA.org for it. I also changed the ip to localhost instead of whatever was in there. The ip you put after IP= is the ip the domain will resolve to. Here is an example after typing in the above fixed link with a proper Alabanza domain in the beginning. Name Server Manager Domain HAHAHA.org will be added within 1 hour! Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour! Please click here to go back. After the submission of the domain, you are even given a link to take a look at the changes to be made. From this page, you can delete as well as modify all associated domains: http://www.domain.com/cp/rac/nsManager.cgi?Language=english *Again, it's been broken* Again, no user name and password is required. This is one of the exploits I have currently found in the control panel. I have not looked further since this notice should make everyone aware of what potential problems can exist. Serious damage to a host can be caused through this. If you would like to get it fixed, you better email the admins at Alabanza. It's been more than a week since I have contacted them and no fix yet. Hopefully, this will speed them up. Weihan Leow