Kloxo SQL Injection And Remote Code Execution Vulnerability Network Vulnerability

Summary

There is an SQL Injection and remote code execution vulnerability in Kloxo running on this host.

Impact

An unauthenticated remote attacker can retrieve data from the database like e.g. the admin cleartext password and might use this for further attacks like code execution in the Command Center function.

Solution

Upgrade to verion 6.1.13 or higher.

Insight

The vulnerability is in /lbin/webcommand.php where the parameter login-name is not properly sanitized and allow a SQL Injection.

Affected

LxCenter Kloxo Version 6.1.12 and possible prior.

Detection

Checks if webcommand.php is available and if a basic SQL Injection can be conducted.

References

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 8.5 AV:N/AC:L/Au:N/C:C/I:P/A:N

Related Vulnerabilities

Admin News Tools Multiple Vulnerabilities
Admin Bot 'news.php' SQL Injection Vulnerability
Baby Gekko CMS Multiple Vulnerabilities
Astium VoIP PBX SQL Injection Vulnerability
Acidcat CMS Multiple Vulnerabilities

Kloxo SQL Injection and Remote Code Execution Vulnerability

Take action and discover your vulnerabilities