Hosting Controller (II) - Multiple Vulnerabilities
Hosting Controller is an all-in-one administrative hosting tool for Windows. It automates a wide range of hosting tasks and provides control of each hosted site to the respective owners.
Hosting Controller is now widely used by hosting providers and can be found at: http://www.hostingcontroller.com
Multiple vulnerabilities in Hosting Controller have been discovered yet again, allowing an attacker to create, remove arbitrary files or folders on the system.
Unauthorized file editing,
Unauthorized folder management.
[Vulnerability #1] Unauthorized file editing
The script file_editor.asp allows clients to edit their web pages online, without the need of downloading and editing the pages. The script in question however does not check for proper user's input; hence, an attacker can take advantage of the /../ to breakout his root path and edit any files on the vulnerable Hosting Controller server.
[Vulnerability #2] Unauthorized folder management
folderactions.asp is also found to be vulnerable to the infamous dot-dot-slash /../ aforementioned, letting the attacker to create, delete files or directories on the server at his choice. This is rather dangerous because Hosting Controller do not have any permission checking and user right checking in place so the attacker are guarantee having to delete anything he wants. Note, the current patches from Hosting Controller do NOT fix this issue.
If the two bugs are combined together, the attacker can actually take total control of the server. I won't expand too much on this.
N/A
Vendor has verified and released a patch that addresses the issues. You can download the patch/fixed version from the official website: http://www.hostingcontroller.com
N/A
Phuong Nguyen (ECQ)
N/A
N/A