Advanced Web Hosting Controller for NT just censored my post in their forum. I'm just trying to help the poor webhosts who are vulnerable, and PAID to be that way.

I was able to determine that the admin of hostingcontroller.com uses Bank of America, among other things! Try this:

www.server_using_whc.tld/admin/browse.asp?FilePath=c:\&Opt=2&level=0

They've taken the browse.asp script off their dev server as of 5 minutes ago so you can't do: www.hostingcontroller.com.tld/admin/browse.asp?FilePath=c:\&Opt=2&level=0, but try someone elses' machine. Gives you full view of the entire hard drive!!!

Wow, I've been watching this software evolve and it's quite powerful, however, THE SECURITY HAS ALWAYS SUCKED. Still does.

http://www.nysolutions.com/admin/browse.asp?FilePath=c:\&Opt=2&level=0

Yikes!

"They've taken the browse.asp script off their dev server ..."

In case you didn't catch it, you too should remove the browse.asp file from your box if you use Advanced Hosting Controller.

Just got a customer list over 2500 long from another poor admin...it's insanely easy.

hostingcontroller.com...powerful but perforated.

:eek:

It is good that you brought this to peoples attention. You could have however stated that you have found a major security bug in the software, instead of putting many innocent companies at risk. Then you could have reported this to the program developers so they can work on a patch.

Would you like it someone found a security hole in one of your servers and told everyone on a bulletin board before giving you the chance of fixing it.

I understand that you posted on the hosting controller board.

I'm just trying to help the poor webhosts who are vulnerable

Those poor webhosts that you have just opened up to any one by doing this before a suitable patch could be made? You do a very good job of helping those poor hosts don't you.
And you even advise people to go browsing though others servers. Great help you have given them poor people.

Would it be viable for a moderator to edit this post so the exact problem is not abused any further.

Just like my friend who made this post, I am just trying to help those poor folk who use hosting controller.
Thank you.

I think he did try to contact HC direct:censored my post in their forum

Of course they would censor the post if it put their customers at risk. Fancy displaying the whole security floor like that. I am sure if he put that he had found a major floor in the software and then told them in private the whole details, they would not have censored the post.

Would you sensor a post if some one put full details of a major security floor in your system? I would think so.

Regards

Well, the problem with HC is that they sometimes do not take security problems serious.

Do you know of any security floors people have reported to them that have not been fixed.
If so then I am appalled. I know they are not the best company in the world and I am not trying to defend them, however do you think it appropriate to display in such detail a security hole?

Do you know of any security floors people have reported to them that have not been fixed. Actually, yes. There has been one that I know of for sure and I will see if I can dig up the information.

That is bad if you know of one that has not yet been fixed.

I assume you will not post the full hole on this forum.

I would be gratefull if you could pm me the details, I would like to see what hosting controller have to say about this.

I would like to ask if any one has contacted the poor person who's security floor is published for all to view on the post above.

I will send them an email now just to make sure.

Hosting Controller have released a patch for this security hole. It looks like at least they took this seriously

That's it, I'm never bringing these issues to the surface anymore...get nothing but flak for it every time.

If the software is in public domain then I can understand, however, when it is commercial code that 'admins' are paying hard-earned money for then the authors have a huge responsibility on their shoulders. Big responsibility=big payoff...little responsibility=little payoff. This particular vulnerability was so bloody lame it was funny...they shouldn't be charging money for code so flawed, or at least it shouldn't be under the guise of gold code...alpha, yes...beta, perhaps...gold, NOT!

Ciao

P.S. Thanks to the one chap that somewhat stood up for me. :)

I for one appreciate you bringing this up. It is important you do this if you find something.
However I do complain about the way it was posted.
A little unfair on the people who have paid for this software.
I hope you do not take any offence to my posts.
They should not be charging for code so floored, as you say, but the people who do pay for this software do not need their site plastered on a forum so everyone can browse there server.

That is all i have to say. No hard feelings I hope, just my point of view.
Best Regards

jgriff64, no worries mate. I just got mad when my post disappeared off their forum. Typical. That's why I went a bit overboard here...you're prob right i shouldn't have put a no-brainer href right here, but hey it got fixed right away!!!

"It looks like at least they took this seriously"

Yea, when you tell the world what bank the admin uses it tends to get top-priority. -grin-

I also got to see the author's favorite porn sites, and lots of other neat things. Seems they like porn in Islamabad just as much as here. -grin- Thought them muslims were against that 'evil' stuff?!? -grin-

There's at least one other vulnerability in hc but mum's the word on that one.

Regards,
Lemonjello

I for one fully support your post. It will teach software developers to take security and testing more seriously. Hopefully posts like this will encourage hosting companies to put pressure on such developers and hence less lame coding.

A product like HostingController, which will be used on a shared server, should go through a lot of Quality Assurance. Infact, with the licensing fees they could probably contract the QA to a third party.

In addition it wasn't exactly a buffer overflow exploit, one that would be hard to spot and implement, it was merely poor coding that anyone could exploit.

Thanks Matt. :)

Someone said "instead of putting many innocent companies at risk"...insinuating _I'm_ the one who is putting people at risk. lol. Misguided and misdirected is all I can say...but no hard feelings just the same.

Ciao!

Related:
http://www.securiteam.com/unixfocus/5CP0N0U6LG.html

can you provide more information on this exploit? Specifically how to download files from the server? I'm teaching myself some asp and would interested in what NOT to do...

-neil

Most important thing to keep in mind security wise when programing? Regardless of if it's a massive online game, or a website?

Never Trust The Client: No, I don't mean the guy paying for the work to be done, I mean the remote users computer. Client programs can be hacked and reverse engineered, and web programs can be tinkered with repeatedly to find a hole. If it's a web program that you're going to sell to 100s of other customers, assume that ONE of them is a bad guy looking to find a hole in your program to use against others who use the same program... trust NOTHING the client software gives you to be fact.

For instance, in the 10 seconds I looked at this thread earlier, it was rather obvious that the problem was the .asp file in question takes a querystring value (FilePath I believe it was).. and bases all the on screen display around that starting point... in short, it just assumed that if someone could get to the point of submitting that URL, they must be authorized to see the contents of the directory they say they want.

To put it another way... say you're a prison guard, and I'm convict Sam's lawyer.. I walk up and say "Oh, the courts say Sam can go free"... do you just hand him over to me, or do you check with someone first? the script in question here just handed over the results without checking for some kind of authenticity first.

ALWAYS check for proper permissions... and never assume that just because someone knows the URL, they're the real person.

<edit> (nevermind) ;) </edit>

One thing I have to add here. QA people can not find such security holes. QA is usually based on functionality testing.

Shannon has given good advice on web applications security. In summary, "audit" every input from the web user.

Hope this helps someone :)

Good QA will evaluate the software as complete as possible. Security SHOULD be a main testing point for a web application.

For their application, acounts are created with certain permissions to do certain things. Security is a Function of the product.

The problem is that the people in QA get so used to doing things in a certain way, they don't always think like thier customers/users do.

just my opinion.
Umpire