CVE-2007-6495

Hosting Controller <6.1 Hot fix 3.3 - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-6495. PoCs published by BugReport.IR.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in Hosting Controller 6.1 Hot fix <= 3.3, including authentication bypass, privilege escalation, and arbitrary file upload leading to remote code execution. It provides detailed steps and HTML/JS PoC code for exploiting these flaws.

Description

inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp. NOTE: this can be leveraged for remote code execution by changing the permissions of \Forum\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \Forum\db.

Exploits (1)

exploitdb WORKING POC VERIFIED

by BugReport.IR · textwebappsasp

https://www.exploit-db.com/exploits/4730

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in Hosting Controller 6.1 Hot fix <= 3.3, including authentication bypass, privilege escalation, and arbitrary file upload leading to remote code execution. It provides detailed steps and HTML/JS PoC code for exploiting these flaws.

Classification

Working Poc 95%

Attack Type

Rce | Auth Bypass | Sqli | Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Hosting Controller 6.1 Hot fix <= 3.3

No auth needed

Prerequisites: Access to the target Hosting Controller web interface

MITRE ATT&CK