Kloxo HostInABox 575 - local users can overwrite any file on the box



DESCRIPTION


Local users can overwrite any file of their choice via a symlink attack when adding parked and redirected domains.



IMPACT


Local users could corrupt any files of their choice.


1. Log into Kloxo
2. Click "Parked / Redirected Domains"
3. Click "Add Parked"
4. In the box titled "Pointer Domain", enter: example.com
5. From the shell, cd /home/httpd/domainname/ where "domainname" is the dir onto which the Pointer Domain is being parked.
6. Rename, or remove, perlsuexec.sh
7. Now create a symlink to that file: ln -s /etc/resolv.conf perlsuexec.sh
8. Now go back to Kloxo and click "Add"


Observe that /etc/resolv.conf now contains the data from perlsuexec.sh. This also works with the phpsuexec.sh and shsuexec.sh files as well.