In Hosting Controller 2002, it is possible to change the password of any user, Administrator. To exploit this, one would have to: Add a user (/accounts/getuserdesc.asp) Edit the user, changing the password (/accounts/updateuserdesc.asp) Then using something like the @stake web proxy, change the hidden field username to whatever they wanted (ie, administrator), and submit the form. The vender was notified, they have released a patch (http://hostingcontroller.com/English/downloads/inc_updateuser.zip), which was released within 48 hours of notification (good job!)
