Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2006-1620

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2006-1620
Last Modified 05 Sep 2008 05:02:24
Published 05 Apr 2006 06:04:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2006-1620

Summary

admin/accounts/AccountActions.asp in Hosting Controller 2002 RC 1 allows remote attackers to modify passwords of other users, probably via an "Update User" ActionType with a modified UserName parameter and the PassCheck parameter set to TRUE. It was later reported that the vulnerability is present in 6.1 Hotfix 3.3 and earlier.

Vulnerable Systems

Application

  • Hosting Controller 2002 Rc 1

  • Hosting Controller 6.1 Hotfix 3.3


References

XF - hostingcontroller-multiple-security-bypass(39038)

XF - hosting-controller-accountactions-password(25673)

BID - 26862

BUGTRAQ - 20071213 Hosting Controller - Multiple Security Bugs (Extremely Critical)

BUGTRAQ - 20060402 Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)

OSVDB - 24773

MILW0RM - 4730

SECUNIA - 28973

CONFIRM - http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html


Last Updated: 27 May 2016 10:42:09