Hosting Controller Hidden Field Password Changing Vulnerability

Hosting Controller is an application which consolidates all hosting tasks into one interface. Hosting Controller runs on Microsoft Windows operating systems.

A problem has been discovered that could allow users with valid accounts via Hosting Controller to change arbitrary passwords. Hosting Controller uses a hidden field to specify the username when a password change is performed. By changing the name of the user specified in the hidden field, it is possible to change the password for that respective user.


Privacy Statement
Copyright 2010, SecurityFocus