Kloxo HostInABox 575 - local users could change any MySQL password on the box



DESCRIPTION


The details of this issue no longer exist, but there was a local sql injection problem in the Kloxo feature that allowed users to change their MySQL passwords.



IMPACT


Local users could obtain root privileges, as the kloxo db password could be changed, allowing a user to obtain the admin user's base64 encoded password, which, once logged into via Kloxo, allowed for executing commands as root via the web based command shell.

This issue was reported to the vendor in private shortly after the other issues were public, and fixed the same day.