Kloxo HostInABox 575 - local users can overwrite any file on the box



DESCRIPTION


Local users can overwrite arbitrary files via symlink attacks when using the "InstallApp" feature.



IMPACT


Local users could obtain root privileges.

1. Log into Kloxo as a regular user (not a reseller)
2. Click "InstallApp"
3. Click "WordPress"
4. Click "Install This Application"
5. In the box titled "Location", enter: example
6. In the shell, create the following directory: /home/username/example.com/example


where "username" is the username of the account that you are attempting to install WordPress on, and where "example.com" is the DocumentRoot of the domain that you are installing WordPress on.

7. Now cd into the "example" directory and symlink a file to __kloxo_directory_list:
[user1@testing574 /home/user1/example.com/example]$ ln -s /etc/resolv.conf __kloxo_directory_list
8. Now go back to Kloxo and click "Install"

Observe that /etc/resolv.conf has been destroyed:

[user1@testing574 /home/user1/example.com/example]$ cat /etc/resolv.conf
b:0;

I've never seen this feature actually install anything.