Title:  Remote Authenticated Users Execute a File Under Administrative Priviledge
Vendor: Hosting Controller
Version: 6.1 Hot fix <= 3.3
Vendor URL: www.hostingcontroller.com
Solution: N/A
Exploit: Available
Release Date: 2007 - December
Credit: BugReport.IR

####################
- Discussion:
####################

2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. For example attacker can gain remote desktop of server by this way and uploading an ASP file!
This bug is because of "inc_newuser.asp" that can set full control permission on each "db","www","Special", or "log" directory on the server.

[User] = (A user with a simple account.)

####################
- Solution:
####################

Unfortunately, there is no support from hosting controller about these bugs. Also, they told us that there is no more support for HC 6.1.
Fast Solution:
Delete or rename these files which are in "Hosting Controller\web\admin\": 
- "/Accounts/AccountActions.asp"


Also, you can contact "admin[4t}bugreport{d0t]ir" to fix all these bugs for you without changing or deleting any file if you want.

####################
- Credit :
####################

AmnPardaz Security Research Team - www.Bugreport.ir
Contact: admin[4t}bugreport{d0t]ir