Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.
Weakness
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Hosting_controller | Hostingcontroller | * | 6.1 (excluding) |
| Hosting_controller | Hostingcontroller | 6.1 (including) | 6.1 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.0 (including) | 6.1-hotfix1.0 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.1 (including) | 6.1-hotfix1.1 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.2 (including) | 6.1-hotfix1.2 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.3 (including) | 6.1-hotfix1.3 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.4 (including) | 6.1-hotfix1.4 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.5 (including) | 6.1-hotfix1.5 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.6 (including) | 6.1-hotfix1.6 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.7 (including) | 6.1-hotfix1.7 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.8 (including) | 6.1-hotfix1.8 (including) |
| Hosting_controller | Hostingcontroller | 6.1-hotfix1.9 (including) | 6.1-hotfix1.9 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/127.html
- https://cwe.mitre.org/data/definitions/143.html
- https://cwe.mitre.org/data/definitions/144.html
- https://cwe.mitre.org/data/definitions/668.html
- https://cwe.mitre.org/data/definitions/87.html