Re: Major Vulnerability in Alabanza Control Panel

[Weihan Leow <wleow () BUFFALO EDU>]

I meant 09-14-00.

Sorry for the confusion.

On Sun, 24 Sep 2000, Weihan Leow wrote:

> Vulnerability: Ability to add/modify domains in name servers of webhosting
>                companies who are reselling for Alabanza.
>
> Vendor Contacted:  Yes, 09-14-99 - Hole still exists.
>
> ==========================================================================
> Hello everyone,  I currently discovered a serious bug in the control
> panel that can really bring a webhost to it's knees.  This hole is for the
> control panel of all Alabanza based resellers/hosts.  There could be more
> bugs but I did not take the time to find them yet.  This is serious enough
> since you can delete all resold domains for a particulr webhosting
> company.  You can also change the default MX and CNAME records of all
> associated domains.
>
> By copying the following url to *most* alabanza host resellers, you have
> the ability to add a domain to their NS without the control panel user
> name and password:
>
> http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm
> *The above link has been broken to prevent abuse. If you are an Alabanza
> based host/reseller, you can easily fix it*
>
> I have tested this on multiple domains and so far, most of them worked.
> You can substitute domain.com for any Alabanza host/reseller domain and
> for the domain you want DNS set up for, substitute HAHAHA.org for it.  I
> also changed the ip to localhost instead of whatever was in there.  The ip
> you put after IP= is the ip the domain will resolve to.
>
> Here is an example after typing in the above fixed link with a proper
> Alabanza domain in the beginning.
>
> Name Server Manager
> Domain HAHAHA.org will be added within 1 hour!
> Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!
>
> Please click here to go back.
>
> After the submission of the domain, you are even given a link to take a
> look at the changes to be made.  From this page, you can delete as well
> as modify all associated domains:
>
> http://www.domain.com/cp/rac/nsManager.cgi?Language=english
> *Again, it's been broken*
>
> Again, no user name and password is required.
>
> This is one of the exploits I have currently found in the control panel.
> I have not looked further since this notice should make everyone aware of
> what potential problems can exist.  Serious damage to a host can be caused
> through this.
>
> If you would like to get it fixed, you better email the admins at
> Alabanza.  It's been more than a week since I have contacted them and no
> fix yet.  Hopefully, this will speed them up.
>
> Weihan Leow