BugReport.ir - Hosting Controller 6.1 - SQL Injection in "/accounts/accountmanager.asp"

Title: SQL Injection in "/accounts/accountmanager.asp"
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A
Exploit: Available
Release Date: 2007 - December
Credit: BugReport.IR

####################
- Discussion:
####################

5- [User] can see all the database information by a SQL injection.
[User] = (A user with a simple account.)


####################
- Solution:
####################

Unfortunately, there is no support from hosting controller about these bugs. Also, they told us that there is no more support for HC 6.1.
Fast Solution:
Delete or rename these files which are in "Hosting Controller\web\admin\": 

- "/accounts/accountmanager.asp"


Also, you can contact "admin[4t}bugreport{d0t]ir" to fix all these bugs for you without changing or deleting any file if you want.

####################
- Credit :
####################

AmnPardaz Security Research Team - www.Bugreport.ir
Contact: admin[4t}bugreport{d0t]ir