mailing list archives
Re: Major Vulnerability in Alabanza Control Panel
From: Weihan Leow <wleow () BUFFALO EDU>
Date: Mon, 25 Sep 2000 10:53:02 -0400
I meant 09-14-00.
Sorry for the confusion.
On Sun, 24 Sep 2000, Weihan Leow wrote:
Vulnerability: Ability to add/modify domains in name servers of webhosting
companies who are reselling for Alabanza.
Vendor Contacted: Yes, 09-14-99 - Hole still exists.
Hello everyone, I currently discovered a serious bug in the control
panel that can really bring a webhost to it's knees. This hole is for the
control panel of all Alabanza based resellers/hosts. There could be more
bugs but I did not take the time to find them yet. This is serious enough
since you can delete all resold domains for a particulr webhosting
company. You can also change the default MX and CNAME records of all
By copying the following url to *most* alabanza host resellers, you have
the ability to add a domain to their NS without the control panel user
name and password:
*The above link has been broken to prevent abuse. If you are an Alabanza
based host/reseller, you can easily fix it*
I have tested this on multiple domains and so far, most of them worked.
You can substitute domain.com for any Alabanza host/reseller domain and
for the domain you want DNS set up for, substitute HAHAHA.org for it. I
also changed the ip to localhost instead of whatever was in there. The ip
you put after IP= is the ip the domain will resolve to.
Here is an example after typing in the above fixed link with a proper
Alabanza domain in the beginning.
Name Server Manager
Domain HAHAHA.org will be added within 1 hour!
Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!
Please click here to go back.
After the submission of the domain, you are even given a link to take a
look at the changes to be made. From this page, you can delete as well
as modify all associated domains:
*Again, it's been broken*
Again, no user name and password is required.
This is one of the exploits I have currently found in the control panel.
I have not looked further since this notice should make everyone aware of
what potential problems can exist. Serious damage to a host can be caused
If you would like to get it fixed, you better email the admins at
Alabanza. It's been more than a week since I have contacted them and no
fix yet. Hopefully, this will speed them up.