Title: Hosting Controller Information Disclosure Vulnerability
Severity: HIGH
Description:
Hosting Controller is an application which centralizes all hosting tasks to one interface. Hosting Controller gives every user the required control they need to manage the appropriate web site relevant to them. Hosting Controller runs on Microsoft Windows systems.
An issue has been discovered in Hosting Controller which may make it easier for remote attackers to brute-force user accounts.
In particular, it is trivial for an attacker to determine if a username exists or not. When a user enters an invalid username, Hosting Controller gives the following feedback:
"The user name could not be found"
The following URLs are common paths to the login page:
http://www.thesite.com.tr/admin/
http://www.thesite.com.tr/webadmin/
http://www.thesite.com.tr/advwebadmin/
http://www.thesite.com.tr/hostingcontroller/
This issue allows the attacker to determine which usernames are valid. The attacker may then attempt a brute-force attack in an attempt to crack the passwords of valid usernames.
Affected Products:
- Hosting Controller Hosting Controller 1.1.0
- Hosting Controller Hosting Controller 1.3.0
- Hosting Controller Hosting Controller 1.4.0
- Hosting Controller Hosting Controller 1.4.0 b
- Hosting Controller Hosting Controller 1.4.1
References:
- Hosting Controller: Hosting Controller Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
