DESCRIPTION
Hosting Controller is an all-in-one administrative hosting tool for Windows. It automates a wide range of hosting tasks and provides control of each hosted site to the respective owners. Hosting Controller is now widely used by hosting providers and can be found at http://www.hostingcontroller.com.
SUMMARY
| PRODUCT | Hosting Controller |
|---|---|
| VENDOR | Hosting Controller |
| AFFECTED VERSIONS | Hosting Controller <1.4.1< /td> |
| SEVERITY | |
| IDENTIFIER | N/A |
| TESTED PLATFORM | Windows 2000 Professional |
E-CQURITY discover multiple vulnerabilities in the software that allow an attacker to browse directories that are not intended to be publicly accessible and upload scripts to manipulate files and control administration of sites using Hosting Controller.
IMPACT
Arbitrary Directory Browsing.
Create new domain and Gain administration's control.
Upload and Execute Arbitrary Code.
DETAILS
[Vulnerability #1] Browsing Non-public Directories Allowed
Hosting Controller has a security flaw which allows outside attackers to browse any file and any directory without authentication. Files can't be read, however the second vulnerability (explained below) would allow you to compromise the whole server.
[Vulnerability #2] Dot-Dot-Slash bug and autosignup/dsp_newwebadmin.asp
The dsp_newwebadmin.asp script from Hosting Controller can be executed by using, eg:
http://www.eg.com/hc/autosignup/dsp_newwebadmin.asp
This allows an attacker to create a new domain name and a new account without logging in as administrator. The attacker can then log into Hosting Controller after the new account has been created using the scriptdsp_newwebadmin.asp.
Once logged in, the attacker can use all HostingController menu options, as owner of the new account. The new domain name you just created, cannot yet be accessed because it needs to be activated by the "resadmin".
To gain control of administration and execute arbitrary code on the hosting server, the attacker need only click on the Hosting Controller's "Directories" option on the left-hand side which will lead to the "File Manager" page allowing and you are only allowed to manage files within:\\webspace\resadmin\youraccount\youraccount.com.
But the filemanager.asp of HostingController is also vulnerable to the well-known "dot dot slash" bug/../ allowing directory traversal, via a script URL such as:
http://www.eg.com/hc/folders/filemanager.asp&siteindex=testing&sitename=testing.com&OpenPath=C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\
The attacker then is able to read, delete, rename and upload files anywhere on the eg.com server. For example, ntdaddy.asp or cmdasp.asp can be uploaded to active domain names so that the attacker can execute commands via web browser. With a little bit of work, the attacker can also upload nc.exe and called nc.exe from an asp script... Thereafter, the site is of course toast.
PROOF OF CONCEPT
[Vulnerability #1] Browsing Non-public Directories Allowed
http://www.eg.com/hc/stats/statsbrowse.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/serv_u/servubrowse.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/adminsettings/browsedisk.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/adminsettings/browsewebalizerexe.asp?filepath=c:\&Opt=3
http://www.eg.com/hc/SQLServ/sqlbrowse.asp?filepath=c:\&Opt=3
The directory "hc" is an example of the path to the Hosting Controller script on the sample domain. The actual "hc" directory name -- such as "admin" or "hostingcontroller" -- must be discovered for each "eg.com" and replaced in the above URL scripts.
[Vulnerability #2] Dot-Dot-Slash bug and autosignup/dsp_newwebadmin.asp
http://www.eg.com/hc/folders/filemanager.asp&siteindex=testing&sitename=testing.com&OpenPath=C:\webspace\resadmin\testing\testing.com\www\..\..\..\..\..\
VENDOR STATUS
Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version from the official website http://www.hostingcontroller.com.
CREDIT
Phuong Nguyen
DISCLOSURE TIMELINE
N/A
APPENDIX
N/A
REFERENCES
N/A