Hosting Controller Multiple Unauthenticated information disclose

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Hosting Controller Multiple Unauthenticated information disclose
From: small mouse <small.mouse@xxxxxxxxx>
Date: Mon, 7 Mar 2005 14:17:17 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=BlQIuOoYYfz67TQrmrw9p/OfBz83afilAI0V+UZKxD9NM+57J0F+hKi+jk8fx5mcLnhLoj2aE3uUTXMA5Fcl2J44h2wLBmYlWHHKbW2oEyrvTtyzeeNRvoEwj5lCYvkXpqEznhzt827sefbRtvfGmtbcXbvdKXLbLXLSl7fz920=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: small mouse <small.mouse@xxxxxxxxx>

                                  -= Security  Advisory =-

Advisory Information
-------------------------

Software Package   : Hosting Controller
Vendor Homepage    : http://www.hostingcontroller.com
Platforms          : Windows based servers
Vulnerability      : Multiple Unauthenticated information disclose
Risk               : Low
Vulnerable Versions: All version ( Tested on: v.6.1 Hotfix 1.7 )
Vendor Contacted   : 3/6/2005
Release Date:      : 3/8/2005

Summary
------------

Hosting Controller is a complete array of Web hosting automation tools for
the Windows Server family platform.


(1)
the product have a feature which logs site updates and check this
periodically. this log is saved in a .CSv format and storage path
is in web-root of server. to name some of saved information in this CSV
file , bandwith report and disk usage report are written in "comment" filed.
as this is a general ( not domain specific ) log , reports of EVERY
HOSTED DOMAIN
on the server are logged here . so by reviewing this file , you can enumerate
all domain names that are hosted on this server .

Exploit :

http://[target]/admin/logs/HCDiskQuotaService.csv



(2)
There is a password recovery feature in Admin login page of Hosting Controller ,
which send back your password to registred e-mail address saved in system.
if you know the site domain name , and remove the .com/.net/.* part 
and submit it as the asked "login ID" , Hosting Controller will disclose the
hosting owners e-mail , which is not usually the one , mentioned in
site itself ;)
mix this bug with (1) and have fun :)

/admin/forgotpassword.asp




when does these comes usefull ?

my own scenario :
I had to penetrate into a site . well , server had no special remote
flaw and web-site
itself hadn`t any bug to use . I used this trick to find a vulnerable
web site on same server
and used it`s flaws to gain access to my final target ...





Solution
----------

The vender was notified, they have released a patch.
Update Your software


Credits
---------

Discovered on 10 Apr 2004 by (\/) Mouse and Hamid Kashfi
Mouse@xxxxxxxxxxxx
hamid@xxxxxxxxxxxxx


References
-------------

http://isun.Shabgard.org/hc2.html
http://isun.Shabgard.org/hc2.txt



-- 
(\/)

Prev by Date: UnixWare 7.1.4 : Samba multiple security issues
Next by Date: Re: thoughts and a possible solution on homograph attacks
Previous by thread: UnixWare 7.1.4 : Samba multiple security issues
Next by thread: UnixWare 7.1.4 : squid updated package fixes several security issues
Index(es):
- Date
- Thread