COMMAND
Alabanza
SYSTEMS AFFECTED
Alabanza
PROBLEM
Weihan Leow found following. He discovered a serious bug in the
control panel that can really bring a webhost to it's knees.
This hole is for the control panel of all Alabanza based
resellers/hosts. There could be more bugs but Weiham did not
take the time to find them yet. This is serious enough since you
can delete all resold domains for a particulr webhosting company.
You can also change the default MX and CNAME records of all
associated domains.
By copying the following url to *most* alabanza host resellers,
you have the ability to add a domain to their NS without the
control panel user name and password:
http://www.domain.com/cp/rac/nsManager.cgi?Domain=HAHAHA.org&IP=127.0.0.1&OP=add&Language=english&Submit=Confirm
The above link has been broken to prevent abuse. If you are an
Alabanza based host/reseller, you can easily fix it.
This has been tested this on multiple domains and so far, most of
them worked. You can substitute domain.com for any Alabanza
host/reseller domain and for the domain you want DNS set up for,
substitute HAHAHA.org for it. Weihan also changed the IP to
localhost instead of whatever was in there. The IP you put after
IP= is the ip the domain will resolve to.
Here is an example after typing in the above fixed link with a
proper Alabanza domain in the beginning.
Name Server Manager
Domain HAHAHA.org will be added within 1 hour!
Your domain HAHAHA.org 127.0.0.1 will be setup within 1 hour!
Please click here to go back.
After the submission of the domain, you are even given a link to
take a look at the changes to be made. From this page, you can
delete as well as modify all associated domains:
http://www.domain.com/cp/rac/nsManager.cgi?Language=english
*Again, it's been broken* Again, no user name and password is
required. Serious damage to a host can be caused through this.
SOLUTION
If you would like to get it fixed, you better email the admins at
Alabanza.