Title: Remote Attacker can change all user's profiles.
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A
Exploit: Available
Release Date: 2007 - December
Credit: BugReport.IR

####################
- Discussion:
####################

4- [Remote Attacker] can change all user's profiles. Because of "/hosting/addreseller.asp"
[Remote attacker] = (Unauthorized user without any permission or access.)

####################
- Solution:
####################

Unfortunately, there is no support from hosting controller about these bugs. Also, they told us that there is no more support for HC 6.1.
Fast Solution:
Delete or rename these files which are in "Hosting Controller\web\admin\": 
- "/hosting/addreseller.asp"


Also, you can contact "admin[4t}bugreport{d0t]ir" to fix all these bugs for you without changing or deleting any file if you want.

####################
- Credit :
####################

AmnPardaz Security Research Team - www.Bugreport.ir
Contact: admin[4t}bugreport{d0t]ir