[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in software for Alabanza resellers

Title: Vulnerability in software for Alabanza resellers
Released by:
Date: 22nd September 2000
Printable version: Click here
Vulnerability: Ability to add/modify domains in name servers of webhosting

               companies who are reselling for Alabanza.

Vendor Contacted:  Yes, 09-14-99 - Hole still exists.


Hello everyone,  I currently discovered a serious bug in the control

panel that can really bring a webhost to it's knees.  This hole is for the

control panel of all Alabanza based resellers/hosts.  There could be more

bugs but I did not take the time to find them yet.  This is serious enough

since you can delete all resold domains for a particulr webhosting

company.  You can also change the default MX and CNAME records of all

associated domains.

By copying the following url to *most* alabanza host resellers, you have

the ability to add a domain to their NS without the control panel user

name and password:


*The above link has been broken to prevent abuse. If you are an Alabanza

based host/reseller, you can easily fix it*

I have tested this on multiple domains and so far, most of them worked.

You can substitute domain.com for any Alabanza host/reseller domain and

for the domain you want DNS set up for, substitute HAHAHA.org for it.  I

also changed the ip to localhost instead of whatever was in there.  The ip

you put after IP= is the ip the domain will resolve to.

Here is an example after typing in the above fixed link with a proper

Alabanza domain in the beginning.

Name Server Manager

Domain HAHAHA.org will be added within 1 hour!

Your domain HAHAHA.org will be setup within 1 hour!

Please click here to go back.

After the submission of the domain, you are even given a link to take a

look at the changes to be made.  From this page, you can delete as well

as modify all associated domains:


*Again, it's been broken*

Again, no user name and password is required.

This is one of the exploits I have currently found in the control panel.

I have not looked further since this notice should make everyone aware of

what potential problems can exist.  Serious damage to a host can be caused

through this.

If you would like to get it fixed, you better email the admins at

Alabanza.  It's been more than a week since I have contacted them and no

fix yet.  Hopefully, this will speed them up.

Weihan Leow

(C) 1999-2000 All rights reserved.