Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.Referenceshttp://secunia.com/advisories/15271http://isun.shabgard.org/hc3.txt
