Bugtraq mailing list archives
Hosting Controller Vulnerability
From: Ben M <webmaster () theratnerschool org>
Date: 13 Jul 2002 15:14:12 -0000
In Hosting Controller 2002, it is possible to change the password of any user, Administrator. To exploit this, one would have to: Add a user (/accounts/getuserdesc.asp) Edit the user, changing the password (/accounts/updateuserdesc.asp) Then using something like the @stake web proxy, change the hidden field username to whatever they wanted (ie, administrator), and submit the form. The vender was notified, they have released a patch (http://hostingcontroller.com/English/downloads/inc_updateuser.zip), which was released within 48 hours of notification (good job!)
Current thread:
- Hosting Controller Vulnerability Ben M (Jul 13)
- <Possible follow-ups>
- Re: Hosting Controller Vulnerability Muhammad Faisal Rauf Danka (Jul 14)
- Re: Hosting Controller Vulnerability James Griffin (Jul 15)
- Re: Hosting Controller Vulnerability Ben M (Jul 15)