Home page logo

bugtraq logo Bugtraq mailing list archives

ZH2003-23SA (security advisory): HostAdmin Path Disclosure
From: G00db0y <G00db0y () zone-h org>
Date: 12 Aug 2003 17:12:41 -0000

ZH2003-23SA (security advisory): HostAdmin Path Disclosure

Published: 12 august 2003

Released: 12 august 2003

Name: HostAdmin

Affected Systems: current version

Issue: Remote attackers can know the path of the site

Author: G00db0y () zone-h org

Vendor: http://dreamcost.com/?page=hostadmin



Zone-h Security Team has discovered a flaw in HostAdmin (and older
versions?). "HostAdmin is based on PHP, MySQL, and uses HTML templates 
and CSS (Cascading Style Sheets) which can be modified for site-wide 
changes by any novice".


It's possible to make a malformed http request in HostAdmin and in doing 
trigger an error. The resulting error message will disclose potentially 
installation path information to the remote attacker.





The vendor has been contacted and a patch is not yet produced.



Filter the ' character. 

G00db0y - www.zone-h.org admin

Original advisory here: http://www.zone-h.org/en/advisories/read/id=2878/

  By Date           By Thread  

Current thread:
  • ZH2003-23SA (security advisory): HostAdmin Path Disclosure G00db0y (Aug 12)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]