Kloxo HostInABox 575 - local user symlink attack



DESCRIPTION


There exists a symlink attack when using the "PHP Config" option in Kloxo.



IMPACT


Either privilege escalation to root, or the ability to corrupt files. I don't remember the exact result.

This issue pertained to the "PHP Config" option, and creating a symlink for the file it creates: /home/username/domain/.htaccess