Kloxo Web Hosting Control Panel SQL Injection Vulnerability Allowing Remote Code Execution

A SQL injection vulnerability has been identified in the Kloxo web hosting control panel, specifically in versions prior to 6.1.12. The vulnerability allows unauthenticated attackers to exploit the login-name parameter in 'lbin/webcommand.php', bypassing input sanitation to extract the administrator's password from the database. Once the password is obtained, attackers can log into the Kloxo control panel and use the Command Center feature to execute arbitrary commands as root on the server.

Impact

Exploitation of this vulnerability allows for unauthorized SQL injection, leading to extraction of sensitive data such as administrator passwords, followed by unauthorized access to the Kloxo control panel and execution of commands with root privileges on the server.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP request to 'lbin/webcommand.php' with a SQL injection payload in the 'login-name' parameter. This payload should be designed to exploit the application's SQL query handling, such as by using 'UNION SELECT' to extract data from the database. After successfully injecting and retrieving the password, the 'display.php' can be used to execute commands on the server as root.

Remediation

Users are advised to update to Kloxo version 6.1.12 or later, where this vulnerability has been addressed.