Kloxo SQL Injection And Remote Code Execution Vulnerability Network Vulnerability

Summary

There is an SQL Injection and remote code execution vulnerability in Kloxo running on this host.

Impact

An unauthenticated remote attacker can retrieve data from the database like e.g. the admin cleartext password and might use this for further attacks like code execution in the Command Center function.

Solution

Upgrade to verion 6.1.13 or higher.

Insight

The vulnerability is in /lbin/webcommand.php where the parameter login-name is not properly sanitized and allow a SQL Injection.

Affected

LxCenter Kloxo Version 6.1.12 and possible prior.

Detection

Checks if webcommand.php is available and if a basic SQL Injection can be conducted.

References

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 8.5 AV:N/AC:L/Au:N/C:C/I:P/A:N

Related Vulnerabilities

Apache Archiva Multiple Remote Command Execution Vulnerabilities
Andy's PHP Knowledgebase 's' Parameter SQL Injection Vulnerability
ArticleFR CMS 'id' Parameter SQL Injection Vulnerability
Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability
Atlassian JIRA FishEye and Crucible Plugins XML Parsing Unspecified Security Vulnerability

Kloxo SQL Injection and Remote Code Execution Vulnerability

Take action and discover your vulnerabilities