+/-----------\---------- ALPER Research Labs --------/--- --------/+ +/------------\--------- Security Advisory -------/---------- --/+ +/-------------\-------- ID: ARL02-A01 ------/----------- --/+ +/--------------\------- salper@pcworld.com.tr -----/------- -------/+ Advisory Information -------------------- Software Package : Hosting Controller Vendor Homepage : http://www.hostingcontroller.com Vulnerable Versions: 1.4.1 , 1.4.b and probably previous versions Platforms : Windows based servers Vulnerability Type : Design Error Vendor Contacted : 23/Jan/2002 Prior Problems : BID: 3808 & BID: 3811 Current Version : 1.4.1 (vulnerable) Summary ------- Hosting Controller is an all in one administrative hosting tool for Windows based servers. It automates all hosting tasks and gives full control of each website to the respective owner. A vulnerability exists in Hosting Controller which could enable anyone to confirm the validity of usernames and crack the password's of known users via brute forcing method. Details ------- The site owners' may login to Hosting Controller by submitting the login form either found at; http://www.thesite.com.tr/admin/ http://www.thesite.com.tr/webadmin/ http://www.thesite.com.tr/advwebadmin/ http://www.thesite.com.tr/hostingcontroller/ ¤ These paths are the most common ones for Hosting Controller login page. If a non-existing username is entered, the form returns the message: "The user name could not be found". Anyone can try this login process for finding an existing user name. When an existing username is entered, but the password supplied with it was incorrect, the form returns the message: "The user has entered an invalid password". So now, the attacker may launch a brute force attack on the password entry, for the known username. I should point out that, generally domain names or related variations are used as usernames in Hosting Controller. So it is even possible to easily predict the username. Once logged in, the attacker will have total control over the web site. Solution -------- The vendor replied within 12 hours after the contact, stating they would release a patch within 1-2 weeks which will probably be based on the first of the below suggested solutions. Hosting Controller managers were highly responsive to this advisory submission and acknowledged the security vulnerability in the Hosting Controller programme. They responded quickly and professionally which is a really good action that every vendor should take in such occasions. 1. A practical solution might be limiting login tries from the same IP, on a time basis. Eg: 3 wrong password entries from the same IP within an hour, may trigger such a protection. 2. The login form might return a message like "Wrong username or password", if either of the username or the password entry is wrong. 3. Assignment of hardly guessable usernames and passwords, and changing of passwords in a period of time might also be a quick idea. 4. Also the path to the Hosting Controller might be changed to a non-default path or perhaps the path might be named with random character sequences. Credits ------- Discovered on Jan 23, 2002 by Ahmet Sabri ALPER <salper@pcworld.com.tr> Ahmet Sabri ALPER is the System Security Editor of PCLIFE Magazine. References ---------- Product Web Page: http://www.hostingcontroller.com
