CVE-2007-6495 (GCVE-0-2007-6495)

Vulnerability from cvelistv5 – Published: 2007-12-20 20:00 – Updated: 2024-08-07 16:11
VLAI?
Summary
inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp. NOTE: this can be leveraged for remote code execution by changing the permissions of \Forum\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \Forum\db.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
http://osvdb.org/44184 vdb-entryx_refsource_OSVDB
http://secunia.com/advisories/28973 third-party-advisoryx_refsource_SECUNIA
http://www.securityfocus.com/archive/1/485028/100… mailing-listx_refsource_BUGTRAQ
http://hostingcontroller.com/english/logs/Post-Ho… x_refsource_CONFIRM
http://securityreason.com/securityalert/3474 third-party-advisoryx_refsource_SREASON
https://www.exploit-db.com/exploits/4730 exploitx_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/26862 vdb-entryx_refsource_BID
http://securitytracker.com/id?1019222 vdb-entryx_refsource_SECTRACK
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T16:11:06.057Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "44184",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://osvdb.org/44184"
          },
          {
            "name": "28973",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/28973"
          },
          {
            "name": "20071213 Hosting Controller - Multiple Security Bugs (Extremely Critical)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/485028/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html"
          },
          {
            "name": "3474",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/3474"
          },
          {
            "name": "4730",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/4730"
          },
          {
            "name": "26862",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/26862"
          },
          {
            "name": "1019222",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1019222"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-12-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp.  NOTE: this can be leveraged for remote code execution by changing the permissions of \\Forum\\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \\Forum\\db."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-15T20:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "44184",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://osvdb.org/44184"
        },
        {
          "name": "28973",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/28973"
        },
        {
          "name": "20071213 Hosting Controller - Multiple Security Bugs (Extremely Critical)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/485028/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html"
        },
        {
          "name": "3474",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/3474"
        },
        {
          "name": "4730",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/4730"
        },
        {
          "name": "26862",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/26862"
        },
        {
          "name": "1019222",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1019222"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2007-6495",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp.  NOTE: this can be leveraged for remote code execution by changing the permissions of \\Forum\\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \\Forum\\db."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "44184",
              "refsource": "OSVDB",
              "url": "http://osvdb.org/44184"
            },
            {
              "name": "28973",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/28973"
            },
            {
              "name": "20071213 Hosting Controller - Multiple Security Bugs (Extremely Critical)",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/485028/100/0/threaded"
            },
            {
              "name": "http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html",
              "refsource": "CONFIRM",
              "url": "http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html"
            },
            {
              "name": "3474",
              "refsource": "SREASON",
              "url": "http://securityreason.com/securityalert/3474"
            },
            {
              "name": "4730",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/4730"
            },
            {
              "name": "26862",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/26862"
            },
            {
              "name": "1019222",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1019222"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2007-6495",
    "datePublished": "2007-12-20T20:00:00",
    "dateReserved": "2007-12-20T00:00:00",
    "dateUpdated": "2024-08-07T16:11:06.057Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2007-6495\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2007-12-20T20:46:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"inc_newuser.asp in Hosting Controller 6.1 Hot fix 3.3 and earlier allows remote authenticated users to change the permissions of directories named (1) db, (2) www, (3) Special, and (4) log at arbitrary locations under the web root via a modified Dirroot parameter in an AddUser action to accounts/AccountActions.asp.  NOTE: this can be leveraged for remote code execution by changing the permissions of \\\\Forum\\\\db, which is configured for execution of ASP scripts with administrative privileges, and then uploading a script to \\\\Forum\\\\db.\"},{\"lang\":\"es\",\"value\":\"inc_newuser.asp en Hosting Controller 6.1 Hot fix 3.3 y anteriores, permite a usuarios remotos validados cambiar los permisos de los directorios llamados (1) db, (2) www, (3) Special, y (4) log en lugares de su elecci\u00f3n bajo la raiz web a trav\u00e9s de un par\u00e1metro Dirroot modificado en una acci\u00f3n AddUser en accounts/AccountActions.asp. NOTA: esto podr\u00eda estar solapado con la ejecuci\u00f3n de c\u00f3digo de forma remota cambiando los permisos de \\\\Forum\\\\db, el cual se configura para la ejecuci\u00f3n de secuencias de comandos de ASP con privilegios de administrador, y por lo tanto una actualizaci\u00f3n en la secuencia de comandos en \\\\Forum\\\\db.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"baseScore\":6.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":true,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hosting_controller:hosting_controller:6.1_hotfix_3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B0D49DC9-27D0-4FDB-A273-FA161B0BC815\"}]}]}],\"references\":[{\"url\":\"http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://osvdb.org/44184\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/28973\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityreason.com/securityalert/3474\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securitytracker.com/id?1019222\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/485028/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/26862\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.exploit-db.com/exploits/4730\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://hostingcontroller.com/english/logs/Post-Hotfix-3_3-sec-Patch-ReleaseNotes.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://osvdb.org/44184\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/28973\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/3474\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securitytracker.com/id?1019222\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/archive/1/485028/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/26862\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.exploit-db.com/exploits/4730\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.