Kloxo Exploit – Zero day exploit
There is an active zero day Kloxo exploit with no workaround at this moment. If you are using Kloxo, it is recommended that you take necessary steps to protect your server immediately until there is an official patch is released to address this Kloxo exploit.
Many hosting providers already suspended virtual machine which were using Kloxo. There is an SQL injection vulnerability within Kloxo which allows the attackers to gain admin access. Many hosting providers have reported that their clients Kloxo installations were compromised.
Again if you are using Kloxo on your server, it is highly recommend that you take necessary steps to protect your server. You can stop Kloxo via SSH using the following command:
/etc/init.d/kloxo stop
Also, you can subscribe to WebhostingTalk thread here. There is an ongoing discussion on this Kiloxo exploit.
There is no updates since last 2 years so it looks like Kloxo is at dead end. This is a major vulnerability and really doubt they will be able release a patch sooner.
As per WebHostingTalk thread, Kloxo MR (another Kloxo fork) also have few security vulnerabilities however it is not published yet.
Kloxo 6.1.13 was released yesterday to address following security issues:
– SQL Injection bug
– Filemanager bug
I have not tested it but it was mentioned in their release note.
Kloxo 6.1.18 Released.. Stay tuned with their updates and bug fixes..
There is a new update available for Kloxo. Kloxo 6.1.19 released on March 23, 2014.