Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Hosting Controller Web Hosting Management Application Discloses Information About Valid User Account Names and Allows Brute Force Username and Password Guessing Attacks
|
Date: Jan 28 2002
|
Impact: Disclosure of system information
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.4.1 , 1.4.b; probably earlier versions
|
Description: ALPER Research Labs reported a vulnerability in Hosting Controller, a Windows-based management application for web hosting environments.
A remote user can obtain information about valid user account names and can conduct password guessing attacks.
It is reported that a remote user can send a login request to Hosting Controller to determine if the user account name exists or
not. Hosting Controller will apparently return the following message for non-existent account names:
"The user has entered an
invalid password".
If the user-supplied username is valid but the password is incorrect, the following message is reportedly
returned:
"The user name could not be found".
This allows a remote user to conduct a brute force guessing attack against the
system to determine valid account names and then to determine valid passwords. Apparently, there are no failed login lockout mechanisms
to limit a brute force attack.
The following type of URLs are apparently used to login:
http://[targethost]/admin/
http://[targethost]/webadmin/
http://[targethos
t]/advwebadmin/
http://[targethost]/hostingcontroller/
|
Impact: A remote user can determine if a user account name is valid on the server.
|
Solution: No solution was available at the time of this entry. The vendor is reportedly working on a patch for release within two weeks.
|
Vendor URL: www.hostingcontroller.com/english/index.html (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (NT), Windows (2000)
|
Reported By: Ahmet Sabri ALPER <s_alper@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 26 Jan 2002 18:20:18 -0000
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
Subject: [ARL02-A01] Vulnerability in Hosting Controller
|
+/-----------\---------- ALPER Research Labs --------/---
--------/+
+/------------\--------- Security Advisory -------/----------
--/+
+/-------------\-------- ID: ARL02-A01 ------/-----------
--/+
+/--------------\------- salper@pcworld.com.tr -----/-------
-------/+
Advisory Information
--------------------
Software Package : Hosting Controller
Vendor Homepage :
http://www.hostingcontroller.com
Vulnerable Versions: 1.4.1 , 1.4.b and probably
previous versions
Platforms : Windows based servers
Vulnerability Type : Design Error
Vendor Contacted : 23/Jan/2002
Prior Problems : BID: 3808 & BID: 3811
Current Version : 1.4.1 (vulnerable)
Summary
-------
Hosting Controller is an all in one administrative
hosting tool for Windows based servers.
It automates all hosting tasks and gives full control of
each website to the respective owner.
A vulnerability exists in Hosting Controller which could
enable anyone to confirm the validity
of usernames and crack the password's of known
users via brute forcing method.
Details
-------
The site owners' may login to Hosting Controller by
submitting the login form either found at;
http://www.thesite.com.tr/admin/
http://www.thesite.com.tr/webadmin/
http://www.thesite.com.tr/advwebadmin/
http://www.thesite.com.tr/hostingcontroller/
¤ These paths are the most common ones for
Hosting Controller login page.
If a non-existing username is entered, the form
returns the message:
"The user name could not be found".
Anyone can try this login process for finding an
existing user name. When an existing username
is entered, but the password supplied with it was
incorrect, the form returns the message:
"The user has entered an invalid password".
So now, the attacker may launch a brute force attack
on the password entry, for the known username.
I should point out that, generally domain names or
related variations are used as usernames in
Hosting Controller. So it is even possible to easily
predict the username.
Once logged in, the attacker will have total control
over the web site.
Solution
--------
The vendor replied within 12 hours after the contact,
stating they would release a patch within
1-2 weeks which will probably be based on the first of
the below suggested solutions.
Hosting Controller managers were highly responsive
to this advisory submission and acknowledged
the security vulnerability in the Hosting Controller
programme.
They responded quickly and professionally which is a
really good action that every vendor should
take in such occasions.
1. A practical solution might be limiting login tries
from the same IP, on a time basis.
Eg: 3 wrong password entries from the same IP
within an hour, may trigger such a protection.
2. The login form might return a message like "Wrong
username or password", if either of the
username or the password entry is wrong.
3. Assignment of hardly guessable usernames and
passwords, and changing of passwords in a period
of time might also be a quick idea.
4. Also the path to the Hosting Controller might be
changed to a non-default path or perhaps the
path might be named with random character
sequences.
Credits
-------
Discovered on Jan 23, 2002 by Ahmet Sabri ALPER
<salper@pcworld.com.tr>
Ahmet Sabri ALPER is the System Security Editor of
PCLIFE Magazine.
References
----------
Product Web Page: http://www.hostingcontroller.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
