Kloxo, a free open source web hosting control panel for Redhat and CentOS linux distributions has had a SQL injection vulnerability found within the software. This exploit was originally being used as a zero-day in the wild and has affected a number of users like this one on Webhostingtalk.com.
This exploit is a high risk vulnerability, as it allows the attacker to obtain the admin password which then allows them to gain access to the control panel. With this access someone can utilize a second exploit (remote PHP code execution) which could lead to a malicious files being placed on the targeted server.
A Metasploit module has been released for the exploit as the vulnerability comes to light.
#Kloxo suffers SQLi and RCE http://t.co/SYb1cYuQu6
More that thousands of servers are at risk @TheHackersNews @securityshell @Zer0Security
— Morteza Khazamipour (@Mormoroth) February 11, 2014
A security researcher using the Twitter handle @Mormoroth has brought this exploit to our attention (tweet above), he also stated that Kloxo stores the root password in base64 which is extremely simple to decrypt and they did not even bother to use MD5, the standard encryption for passwords these days.
This exploit has the potential to disrupt thousands of servers and as of now, the Kloxo demo which is located on their official site is returning a “500 internal error”.
You can view the Metasploit module on Exploit-db here.