Multiple Remote Vulnerabilities
When will these be fixed. We had servers hacked last year and you said there were no problems in HC and asked us to show you proof. Well here is proof.
http://www.securityfocus.com/bid/26862/info
Hosting Controller is prone to 14 remote vulnerabilities, including seven unauthorized-access issues, four SQL-injection issues, two information-disclosure issues, and one HTML-injection issue.
An attacker can exploit these issues to compromise the affected application, execute arbitrary code within the context of the webserver process, steal cookie-based authentication credentials, access or modify data, exploit latent vulnerabilities in the underlying database, obtain sensitive information, and gain unauthorized access to the affected application.
1- [Remote Attacker] can login to hosting controller Panel. He can also change all others' passwords.
2- [User] can copy a file to hosting controller web directory which is executed under administrative privilege, so attacker can execute his commands by administrative privilege. e.g. an attacker can gain remote desktop of server using this bug and uploading an ASP file!
3- [Remote Attacker] can make a new user.
4- [Remote Attacker] can change all user's profiles.
5- [User] can see all the database information by a SQL injection.
6- [User] can change his credit amount or increase his discount.
7- [User] can uninstall other's FrontPage extensions.
8- [User] can delete all of gateway information.
9- [User] can enable or disable pay type.
10- [[User] can see all usernames in the server by "fp2000/NEWSRVR.asp".
11- [User] can find Hosting Controller setup directory.
12- [User] can import unwanted plan or change the plans.
13- [Remote Attacker] can find web site path.
14- [Remote Attacker] can enable or disable all Hosting Controller forums by SQL Injection.
15- [User] can change other's host headers.
[Remote attacker] = (Unauthorized user without any permission or access.)