Hosting Controller Software for Web Hosting Companies Has Input Validation Errors in 'dsnmanager.asp' and 'imp_rootdir.asp' Scripts That Allow Remote Users to View Files on the System and Upload and Copy Files With Administrator Privileges
|
|
SecurityTracker Alert ID: 1004319 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 17 2002
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, Root access via network
|
Exploit Included: Yes
|
Description: KHA reported several input validation vulnerabilities in Hosting Controller that allow remote users to view files on the system and to make unauthorized modifications to take control of the system.
It is reported that a remote user can use the '\..' directory traversal characters with the 'dsnmanager.asp' script to view files
on the system that are located outside of the Data Source Name (DSN) database directory. A demonstration exploit URL is provided:
http://[targethost]/admin/dsn/dsnman
ager.asp?DSNAction=ChangeRoot&RootName=D:\webspace\opendnsserver\target\target.com\db\..\..\..\..\
It is also reported that a
remote user can copy and delete files and directories on the system by exploiting the 'import/imp_rootdir.asp' script. The remote
user can change the import directory with the following demonstration exploit command:
http://[targethost]/admin/import/imp_rootdir.asp?result=1&www=C:\&ftp=C:\&owwwPa
th=C:\&oftpPath=C:\
According to the report, the 'advwebadmin' user account is, by default, part of the operating system's Administrator
group, so any scripts run under the '/admin' directory will have Administrator privileges on the system. A remote user can apparently
upload malicious scripts to the '/admin' directory and then cause the scripts to be executed by invoking the script via web browser.
This allows the remote user to execute arbitrary commands on the system with Administrator privileges.
|
Impact: A remote user can view files located anywhere on the same drive as the server software is installed on. A remote user can copy and
delete files and directories on the system. A remote user can change the import directory, upload scripts, and execute them with
Administrator privileges.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.hostingcontroller.com/english/index.html (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Windows (NT), Windows (2000)
|
Reported By: "hdlkha" <hdlkha@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 17 May 2002 09:01:39 -0400
From: "hdlkha" <hdlkha@yahoo.com>
Subject: Hosting Controller still have dangerous bugs!
|
-Vulnerable versions: all HC versions.
1.Database directory travelsal:
By adding slash dot dot,the user can view the files,folders located on
the sytem and can add DSN out of user root directory.
http://www.target.com/admin/dsn/dsnmanager.asp?DSNAction=ChangeRoot&RootName=D:\webspace\opendnss
erver\target\target.com\db\..\..\..\..\
2.Any user can bypass the authority to take control of any files on the
system:
This vulnerability is on the /import/imp_rootdir.asp file that let any
user can copy,delete files,folders on the system.
The user can easily take control of any files just by changing the
import directory:
http://www.target.com/admin/import/imp_rootdir.asp?result=1&www=C:\&ftp=C:\&owwwPath=C:\&
oftpPath=C:\
-Exploit:By default,advwebadmin is in Administrator group so any scripts run under
/admin directory will have administrator privilege on the system
root.The user can upload malicious script code to /admin directory and
execute arbitrary command via browser.
-Workaround:looking for the newest patch for HC from www.hostingcontroller.com
KHA
hdlkha@yahoo.com
http://www.viethacker.net
|
|
