Hosting Directory Traversal madness...

[Phuong Nguyen <dphuong () yahoo com>]

Hosting Controller directory traversal (/../) madness

Date 03/14/2002

Some hosting providers mailed me and asked me to do a
bit more researches about Hosting Controller, they
said their clients' sites have been deleted
mysteriously, and defacement still happens quite at
large even though they have applied all the patches.
So here's what i found.

Bug #1

File_editor.asp allows clients to edit their web pages
online, without the need to download, edit the pages
and re-upload using FTP. File_editor.asp is vulnerable
to the /../ which allows attacker to breakout his root
path and edit any files on the hosts. 

Bug #2

Folderactions.asp is also vulnerable to dot dot slash
/../, allows attacker to create, delete, files,
directories on the server at his choice. This is
rather dangerous because Hosting Controller does not
perform proper permission checking and user right
checking so the attacker can delete anything he wants,
the current patches from Hosting Controller do NOT fix
this. 

If you combine those two bugs together then you
actually can compromise the server. I won't explain to
you how to do that in order to protect the Hosting
Controllers' users. 

Fix:

I attached the fixed version of folderactions.asp and
file_editor.asp. All you need to do is replace your
old *.asp files with these one.

Vendor has been contacted.

Phuong Nguyen


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Attachment: fix.zip
Description: fix.zip