Kloxo HostInABox 575 - web stats world readable password hashes


Local users can obtain the password hashes from the stats page protection files.


Local users could potentially obtain stats passwords from other users. This could potentially be bad for those that reuse passwords.

1. Log into Kloxo
2. Click "Stats Page Protection"
3. In the field titled "Statistics Page Password", enter a password

The hash of that password will be placed into a world readable file here: /home/httpd/example.com/__dirprotect/__stats

where "example.com" is the domain onto which the stats password was added.