LxCenter Kloxo lbin/webcommand.php SQL Injection Vulnerability

LxCenter Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions.

The vulnerability exists because an implemented /lbin/webcommand.php source file fails to properly sanitize user-supplied input received via the 'login-name' parameter. This allows a remote, unauthenticated attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data e.g. obtaining the cleartext admin password.

Affected Versions:
Kloxo versions prior to 6.1.13

Successful exploitation could allow an unauthenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

N/A

Workaround:
There hasn't been an official confirmation from the vendor that remediates this vulnerability. However, customers may install the latest version of Kloxo. Additionally, customers may want to check for unknown or modified files in the /home/kloxo/httpd/default directories. If found, they are advised to recover the original file from a reliable backup.