Vulnerabilities > CVE-2006-3147 - Privilege Escalation vulnerability in Hosting Controller Addreseller.ASP

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
hosting-controller
nessus
exploit available
NVD
Published: 2006-06-22
Updated: 2017-07-20

Summary

Unspecified vulnerability in Hosting Controller before 6.1 (aka Hotfix 3.2) allows remote authenticated attackers to gain host admin privileges, list all resellers, or change resellers' passwords via unspecified vectors. NOTE: due to the lack of precise details, it is not clear whether this is related to a previously disclosed issue such as CVE-2005-1788.

Vulnerable Configurations

Part Description Count
Application
Hosting_Controller
9

Exploit-Db

descriptionHosting Controller <= 6.1 Hotfix 3.1 Privilege Escalation Vulnerability. CVE-2006-3147. Webapps exploit for asp platform
idEDB-ID:1987
last seen2016-01-31
modified2006-07-06
published2006-07-06
reporterSoroush Dalili
sourcehttps://www.exploit-db.com/download/1987/
titleHosting Controller <= 6.1 Hotfix 3.1 - Privilege Escalation Vulnerability

Nessus

NASL familyCGI abuses
NASL idHOSTING_CONTROLLER_61_31.NASL
descriptionAccording to its version number, the installation of Hosting Controller on the remote host enables any authenticated user to gain host admin privileges and view all his resellers and change their passwords.
last seen2020-06-01
modified2020-06-02
plugin id21736
published2006-06-21
reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/21736
titleHosting Controller <= 6.1 Hotfix 3.1 Authenticated User Privilege Escalation
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if (description)
{
  script_id(21736);
  script_version("1.16");

  script_cve_id("CVE-2006-3147");
  script_bugtraq_id(18565);
  script_xref(name:"EDB-ID", value:"1987");

  script_name(english:"Hosting Controller <= 6.1 Hotfix 3.1 Authenticated User Privilege Escalation");
  script_summary(english:"Checks version of Hosting Controller");
 
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains an ASP application that suffers from a
privilege escalation vulnerability." );
 script_set_attribute(attribute:"description", value:
"According to its version number, the installation of Hosting
Controller on the remote host enables any authenticated user to gain
host admin privileges and view all his resellers and change their
passwords." );
 script_set_attribute(attribute:"see_also", value:"https://hostingcontroller.com/english/logs/hotfixlogv61_3_2.html" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to version 6.1 if necessary and apply Hotfix 3.2 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2006/06/21");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/06/20");
 script_cvs_date("Date: 2018/11/15 20:50:17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();

 
  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");

  script_dependencies("hosting_controller_detect.nasl");
  script_require_ports("Services/hosting_controller");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");


# Check for Hosting Controller installs.
ports = add_port_in_list(list:get_kb_list("Services/www"), port:8887);
foreach port (ports) {
  ver = get_kb_item(string("www/", port, "/hosting_controller"));
  if (ver) {
    # nb: versions <= 6.1 hotfix 3.1 are vulnerable.
    if (ver =~ "^(2002|[0-5]\.|6\.(0|1($| hotfix ([0-2]\.|3\.[01]))))") {
      security_warning(port);
      if (!thorough_tests) exit(0);
    }
  }
}

References