In Hosting Controller 2002, it is possible to change the password of any
user, Administrator.
To exploit this, one would have to:
Add a user (/accounts/getuserdesc.asp)
Edit the user, changing the password (/accounts/updateuserdesc.asp)
Then using something like the @stake web proxy, change the hidden field
username to whatever they wanted (ie, administrator), and submit the form.
The vender was notified, they have released a patch
(http://hostingcontroller.com/English/downloads/inc_updateuser.zip), which
was released within 48 hours of notification (good job!)
