Hosting Controller directory traversal (/../) madness Date 03/14/2002 Some hosting providers mailed me and asked me to do a bit more researches about Hosting Controller, they said their clients' sites have been deleted mysteriously, and defacement still happens quite at large even though they have applied all the patches. So here's what i found. Bug #1 File_editor.asp allows clients to edit their web pages online, without the need to download, edit the pages and re-upload using FTP. File_editor.asp is vulnerable to the /../ which allows attacker to breakout his root path and edit any files on the hosts. Bug #2 Folderactions.asp is also vulnerable to dot dot slash /../, allows attacker to create, delete, files, directories on the server at his choice. This is rather dangerous because Hosting Controller does not perform proper permission checking and user right checking so the attacker can delete anything he wants, the current patches from Hosting Controller do NOT fix this. If you combine those two bugs together then you actually can compromise the server. I won't explain to you how to do that in order to protect the Hosting Controllers' users. Fix: I attached the fixed version of folderactions.asp and file_editor.asp. All you need to do is replace your old *.asp files with these one. Vendor has been contacted. Phuong Nguyen __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/
Attachment:
fix.zip
Description: fix.zip
