Title: ====== Kloxo LxCenter Server CP v6.1.10 - Multiple Web Vulnerabilities Date: ===== 2012-02-10 References: =========== http://www.vulnerability-lab.com/get_content.php?id=429 VL-ID: ===== 429 Introduction: ============= Scriptable, distributed and object oriented Hosting Platform. Manage Clients, Resellers, Domains, Backups, Stats, Mails and Databases. Manage everything! (Copy of the Vendor Homepage: http://www.lxcenter.org/) Abstract: ========= Vulnerability-Lab Team discovered multiple web vulnerabilities on Kloxos LxCenter Server CP v6.1.10. Report-Timeline: ================ 2012-02-10: Public or Non-Public Disclosure Status: ======== Unpublished Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== Multiple persistant input validation vulnerabilities are detected on Kloxos LxCenter Server CP v6.1.10. The bug allows remote attacker to implement malicious script code on the application side (persistent). Successful exploitation of the vulnerability allows an attacker to manipulate modules/context (persistent) & can lead to session hijacking (user/mod/admin). Vulnerable Module(s): [+] LocalHost {Command Center} [+] Server > Information > Verbose Settings Picture(s): ../1.png ../2.png Proof of Concept: ================= The vulnerabilities can be exploited by remote attackers with medium required user inter action. For demonstration or reproduce ... 1.1 Localhost {Command Center}
Command Center for localhost
Command
... or