Bugtraq mailing list archives

RE: Hosting Directory Traversal madness...

From: Phuong Nguyen <dphuong () yahoo com>
Date: Tue, 19 Mar 2002 06:52:50 -0800 (PST)

Guys,

I'm sorry, it's my bad not to tell which platform and
version i tested on. I tested on Windows 2000, version
1.4.1 with all patches applied, probably affected
previous versions as well.

Phuong

--- "Shannon.ONeil" <Shannon.ONeil () target com> wrote:

Phoung,

What is the platform, please?

-----Original Message-----
From: Phuong Nguyen [mailto:dphuong () yahoo com]
Sent: Monday, March 18, 2002 16:44
To: bugtraq () securityfocus org
Subject: Hosting Directory Traversal madness...

Hosting Controller directory traversal (/../)
madness

Date 03/14/2002

Some hosting providers mailed me and asked me to do
a
bit more researches about Hosting Controller, they
said their clients' sites have been deleted
mysteriously, and defacement still happens quite at
large even though they have applied all the patches.
So here's what i found.

Bug #1

File_editor.asp allows clients to edit their web
pages
online, without the need to download, edit the pages
and re-upload using FTP. File_editor.asp is
vulnerable
to the /../ which allows attacker to breakout his
root
path and edit any files on the hosts. 

Bug #2

Folderactions.asp is also vulnerable to dot dot
slash
/../, allows attacker to create, delete, files,
directories on the server at his choice. This is
rather dangerous because Hosting Controller does not
perform proper permission checking and user right
checking so the attacker can delete anything he
wants,
the current patches from Hosting Controller do NOT
fix
this. 

If you combine those two bugs together then you
actually can compromise the server. I won't explain
to
you how to do that in order to protect the Hosting
Controllers' users. 

Fix:

I attached the fixed version of folderactions.asp
and
file_editor.asp. All you need to do is replace your
old *.asp files with these one.

Vendor has been contacted.

Phuong Nguyen

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/



__________________________________________________
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/

Current thread:

Hosting Directory Traversal madness... Phuong Nguyen (Mar 18)
- <Possible follow-ups>
- RE: Hosting Directory Traversal madness... Phuong Nguyen (Mar 20)