Kloxo HostInABox 575 - web stats world readable password hashes



DESCRIPTION


Local users can obtain the password hashes from the stats page protection files.



IMPACT


Local users could potentially obtain stats passwords from other users. This could potentially be bad for those that reuse passwords.

1. Log into Kloxo
2. Click "Stats Page Protection"
3. In the field titled "Statistics Page Password", enter a password


The hash of that password will be placed into a world readable file here: /home/httpd/example.com/__dirprotect/__stats

where "example.com" is the domain onto which the stats password was added.