Guys, I'm sorry, it's my bad not to tell which platform and version i tested on. I tested on Windows 2000, version 1.4.1 with all patches applied, probably affected previous versions as well. Phuong --- "Shannon.ONeil" <Shannon.ONeil@target.com> wrote: > Phoung, > > What is the platform, please? > > > -----Original Message----- > From: Phuong Nguyen [mailto:dphuong@yahoo.com] > Sent: Monday, March 18, 2002 16:44 > To: bugtraq@securityfocus.org > Subject: Hosting Directory Traversal madness... > > > Hosting Controller directory traversal (/../) > madness > > Date 03/14/2002 > > Some hosting providers mailed me and asked me to do > a > bit more researches about Hosting Controller, they > said their clients' sites have been deleted > mysteriously, and defacement still happens quite at > large even though they have applied all the patches. > So here's what i found. > > Bug #1 > > File_editor.asp allows clients to edit their web > pages > online, without the need to download, edit the pages > and re-upload using FTP. File_editor.asp is > vulnerable > to the /../ which allows attacker to breakout his > root > path and edit any files on the hosts. > > Bug #2 > > Folderactions.asp is also vulnerable to dot dot > slash > /../, allows attacker to create, delete, files, > directories on the server at his choice. This is > rather dangerous because Hosting Controller does not > perform proper permission checking and user right > checking so the attacker can delete anything he > wants, > the current patches from Hosting Controller do NOT > fix > this. > > If you combine those two bugs together then you > actually can compromise the server. I won't explain > to > you how to do that in order to protect the Hosting > Controllers' users. > > Fix: > > I attached the fixed version of folderactions.asp > and > file_editor.asp. All you need to do is replace your > old *.asp files with these one. > > Vendor has been contacted. > > Phuong Nguyen > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - live college hoops coverage > http://sports.yahoo.com/ __________________________________________________ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/
