Kloxo (HostInABox)


# VER L/R AUTH S REPORTED TYPE DESCRIPTION
01 575 L Y N 05/21/2009 design issue uid and gid reuse
02 575 L N N 05/21/2009 design issue unprivileged port use
03 575 R - N 05/21/2009 default passwords various resources default passwords
04 575 L N N 05/21/2009 design issue full useradd string in the process list
05 575 - - N 05/21/2009 XSS XSS issues
06 575 L Y N 05/21/2009 design issue append uncontrolled data to any file
07 575 L Y N 05/21/2009 symlink local users could control any file or directory when adding a domain
08 575 L Y N 05/21/2009 symlink local users could control any file or directory when creating an ftp user
09 575 L Y N 05/21/2009 symlink local users could overwrite any file on the box with uncontrolled data
10 575 L Y N 05/21/2009 symlink local users could control any directory when adding a new domain
11 575 L Y N 05/21/2009 shell invocation local users could execute any command as root
12 575 L N N 05/21/2009 permissions users' web stats files world readable, contained stats password hashes
13 575 L Y N 05/21/2009 symlink local users could overwrite any file on the box with uncontrolled data
14 575 L Y N 05/21/2009 shell invocation local users could execute any command as root
15 575 R N Y 05/21/2009 design issue remote users could block any or all IP addresses in hosts.deny (lxguard)
16 575 R N N 05/21/2009 DoS remote memory and cpu DoS
17 575 L Y N 05/21/2009 symlink local users could truncate, control any file
18 575 L Y N 05/21/2009 race condition 2 ways local users could overwrite, control any file
19 575 L Y N 05/21/2009 hard link file manager allows local users to view and edit any file
20 575 L Y N 05/21/2009 race condition file manager allows local users to create, overwrite, control any file
21 575 L Y N 05/21/2009 hard link file manger allows local users to view, edit any file
22 575 L Y N 05/21/2009 symlink Script -> PHP Config symlink attack
23 575 L Y N 05/21/2009 symlink local users could control any file when changing ownership of a domain
24 575 R N N 05/21/2009 sql injection remotely obtain the "admin" user's password
25 575 L Y N 06/05/2009 sql injection users could change anyone's mysql password




Trivial very minor issues
Low XSS, info leaks
Medium destructive actions, access others' accounts
High local root (auth required), /root/.accesshash, /etc/shadow access
Less Critical local root (no auth required)
Critical remote root (no auth required)
L/R Local/Remote
Auth Authentication required
S Bug found via source code review