-= Security Advisory =- Advisory Information ------------------------- Software Package : Hosting Controller Vendor Homepage : http://www.hostingcontroller.com Platforms : Windows based servers Vulnerability : Multiple Unauthenticated information disclose Risk : Low Vulnerable Versions: All version ( Tested on: v.6.1 Hotfix 1.7 ) Vendor Contacted : 3/6/2005 Release Date: : 3/8/2005 Summary ------------ Hosting Controller is a complete array of Web hosting automation tools for the Windows Server family platform. (1) the product have a feature which logs site updates and check this periodically. this log is saved in a .CSv format and storage path is in web-root of server. to name some of saved information in this CSV file , bandwith report and disk usage report are written in "comment" filed. as this is a general ( not domain specific ) log , reports of EVERY HOSTED DOMAIN on the server are logged here . so by reviewing this file , you can enumerate all domain names that are hosted on this server . Exploit : http://[target]/admin/logs/HCDiskQuotaService.csv (2) There is a password recovery feature in Admin login page of Hosting Controller , which send back your password to registred e-mail address saved in system. if you know the site domain name , and remove the .com/.net/.* part and submit it as the asked "login ID" , Hosting Controller will disclose the hosting owners e-mail , which is not usually the one , mentioned in site itself ;) mix this bug with (1) and have fun :) /admin/forgotpassword.asp when does these comes usefull ? my own scenario : I had to penetrate into a site . well , server had no special remote flaw and web-site itself hadn`t any bug to use . I used this trick to find a vulnerable web site on same server and used it`s flaws to gain access to my final target ... Solution ---------- The vender was notified, they have released a patch. Update Your software Credits --------- Discovered on 10 Apr 2004 by (\/) Mouse and Hamid Kashfi Mouse@xxxxxxxxxxxx hamid@xxxxxxxxxxxxx References ------------- http://isun.Shabgard.org/hc2.html http://isun.Shabgard.org/hc2.txt -- (\/)
