|
|
Family: CGI abuses --> Category: infos
Hosting Controller < 6.1 Hotfix 2.2 Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple vulnerabilities in Hosting Controller < 6.1 hotfix 2.2
Detailed Explanation for this Vulnerability Test
Synopsis :
The remote web server contains an ASP application with multiple flaws.
Description :
According to its version number, the version of Hosting Controller on
the remote host is subject to multiple flaws :
- Denial of Service Vulnerabilities
By accessing the 'editplanopt3.asp', 'planmanager.asp',
and 'plansettings.asp' scripts directly or with specific
parameters, a possible hacker can cause the 'inetinfo.exe'
process to consume a large amount of CPU resources.
- Multiple SQL Injection Vulnerabilities
An authenticated attacker can affect SQL queries by
manipulating input to the 'searchtext' parameter of the
'IISManagerDB.asp' and 'AccountManager.asp' scripts and
the 'ListReason' parameter of the 'listreason.asp'
script.
- Access Rights Vulnerabilities
Several scripts fail to restrict access to privileged
users, which allows non-privileged users to add accounts
with elevated rights and make changes to various
plan settings. Another failure allows users to gain
elevated rights by first accessing the
'dsp_newreseller.asp' script before returning to the
application's homepage.
See also :
http://hostingcontroller.com/english/logs/hotfixlogv61_2_2.html
Solution :
Upgrade to version 6.1 if necessary and apply Hotfix 2.2.
Threat Level:
Low / CVSS Base Score : 3
(AV:R/AC:L/Au:R/C:P/A:N/I:P/B:N)
Click HERE for more information and discussions on this network vulnerability scan.
|
