Kloxo installations compromised

[masterb56]

webhostingtalk.com/showthread.php?t=1344003

Heads up to those running Kloxo on your vps/dedis.

 

[Kruno]

Here is the patch:
LxCenter Forum: Technical Help » Kloxo 6.1.12 Hack

Another suggestion is to disable web command from Kloxo. Anyone who needs to execute SSH commands should use SSH, not Kloxo's interface in the first place.
LxCenter Forum: Technical Help » Kloxo 6.1.12 Hack

P.S We at KnownSRV have mass-patched all Kloxo installations on our network a few hours after this exploit was released. If you are a KnownSRV client, you do NOT need to patch the above, it's already been done.

 

[Rox]

The development team is active again and Kloxo 6.1.13 is released. These hacks were fixed, can someone confirm?

 

[msk19994]

@Rox http://project.lxcenter.org/news/25

 

[Rox]

PS: Backup before you upgrade, Kloxo crashes on updates a lot of time.

 

[msk19994]

Fuk u why didnt u post this message earlier i just pressed upgrade damn u

 

[Rox]

SSH upgrade wont do any harm, but panel upgrade

God save you.

 

[msk19994]

Oh well i take back what i said above first of all cuz i aint gay and i dont fuck men and the second thing is that it upgraded without any issue so oh well sorry about that :P
And people that upgrade button works :P

 

[Kruno]

Upgrade from Kloxo itself is broken. It may cause blank-pages while accessing Kloxo after the upgrade.

The proper method for upgrading Kloxo is from SSH.
# /script/upcp
# service kloxo restart

 

[Rox]

Yes, that's why I said updating from SSH is better.

Kruno - Are the major exploits fixed in this version? I know you aren't the dev, just asking since you are a server security expert.

 

[Kruno]

I can confirm 6.1.13 version fixed security flaws in question.

There is no known exploits for the newest version at this time. If you are paranoid you could keep Kloxo stopped and enable it only when you need it. Or keep Kloxo ports(7777 / 7778) whitelisted to your IP address / VPN only.
# service kloxo stop
# service kloxo start

 

[Rox]

Great, thanks! Some hosts went paranoid and banned kloxo usage completely on their servers. Noobs -_-