Hi, Here's my new advisory about Hosting Controller. Phuong Hosting Controller - Multiple vulnerabilities Date: 01/04/2002 Summary ------- Hosting Controller is an all-in-one administrative hosting tool for Windows. It automates a wide range of hosting tasks and provides control of each hosted site to the respective owners. Hosting Controller is now widely used by hosting providers and can be found at http://www.hostingcontroller.com. Systems Affected: Only the latest version, HostingController 1.4.1, was tested. (Probably all prior versions) Vulnerability 1 - Browsing Non-public Directories Allowed Vulnerability 2 - Dot Dot Slash bug and autosignup/dsp_newhc.asp Impact: An attacker may be able to browse directories not intended to be publically accessible and upload scripts to manipulate files and control administration of sites using the latest version of HostingController. Vendor contacted. Details ------- Vulnerability 1 - Browsing Non-public Directories Allowed Hosting Controller has a security flaw which allows outside attackers to browse any file and any directory without authentication. Files can't be read, however the second vulnerability (explained below) would allow you to compromise the whole server. Sample scripts that allow browsing anywhere on the server: http://www.eg.com/hc/stats/statsbrowse.asp?filepath=c:\&Opt=3 http://www.eg.com/hc/serv_u/servubrowse.asp?filepath=c:\&Opt=3 http://www.eg.com/hc/adminsettings/browsedisk.asp?filepath=c:\&Opt=3 http://www.eg.com/hc/adminsettings/browsewebalizerexe.asp?filepath=c:\&Opt=3 http://www.eg.com/hc/SQLServ/sqlbrowse.asp?filepath=c:\&Opt=3 The directory "hc" is an example of the path to the HostingController script on the sample domain. The actual "hc" directory name -- such as "admin" or "hostingcontroller" -- must be discovered for each "eg.com" and replaced in the above URL scripts. Vulnerability 2 - "Dot Dot Slash" bug and autosignup/dsp_newwebadmin.asp The dsp_newwebadmin.asp script from Hosting Controller can be executed by using, eg: http://www.eg.com/hc/autosignup/dsp_newwebadmin.asp This allows an attacker to create a new domain name and a new account without logging in as administrator. The attacker can then log into HostingController after the new account has been created using the script dsp_newwebadmin.asp. Once logged in, the attacker can use all HostingController menu options, as owner of the new account. The new domain name you just created, cannot yet be accessed because it needs to be activated by the "resadmin". To gain control of administration and execute arbitrary code on the hosting server, the attacker need only click on the HostingController's "Directories" option on the left-hand side which will lead to the "File Manager" page allowing and you are only allowed to manage files within :\\webspace\resadmin\youraccount\youraccount.com But the filemanager.asp of HostingController is also vulnerable to the well-known "dot dot slash" bug /../ allowing directory traversal, via a script URL such as: http://www.eg.com/hc/folders/filemanager.asp&siteindex=testing&sitename= testing.com&OpenPath= C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\ The attacker then is able to read, delete, rename and upload files anywhere on the eg.com server. For example, ntdaddy.asp or cmdasp.asp can be uploaded to active domain names so that the attacker can execute commands via web browser. With a little bit of work, the attacker can also upload nc.exe and called nc.exe from an asp script ... Thereafter, the site is of course toast. Vendor contacted. __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/