Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php
Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.
Froxlor versions 2.3.5 and earlier contain a PHP code injection vulnerability in userdata.inc.php due to improper handling of single quotes. An administrator with the change_serversettings permission can inject arbitrary PHP code through the MysqlServer.add or MysqlServer.update API endpoints. The vulnerability exists because the PhpHelper::parseArrayToString() function writes string values into single-quoted PHP string literals without escaping single quotes. Specifically, the privileged_user parameter, which lacks input validation, is written to lib/userdata.inc.php. Since this file is included on every request via Database::getDB(), a successful exploit results in arbitrary PHP code execution as the web server user. This allows attackers to compromise the server, exfiltrate data, move laterally, establish persistent backdoors, or cause denial of service.
Attack Chain
- An administrator with
change_serversettingspermission authenticates to the Froxlor API. - The attacker sends a POST request to
api.phpwith the commandMysqlServer.addorMysqlServer.update, injecting PHP code into theprivileged_userparameter. - The API endpoint
lib/Froxlor/Api/Commands/MysqlServer.phpprocesses the request, callingPhpHelper::parseArrayToPhpFile()throughgenerateNewUserData(). PhpHelper::parseArrayToString()atlib/Froxlor/PhpHelper.phpformats the injected code without proper escaping, writing it into the 'user' key within an array.- The array is then written to
lib/userdata.inc.phpusingfile_put_contents(). - Subsequent HTTP requests to the Froxlor panel trigger
Database::getDB()atlib/Froxlor/Database/Database.php. Database::getDB()includeslib/userdata.inc.phpusingrequire, resulting in the execution of the injected PHP code.- The injected code executes commands as the web server user, allowing the attacker to achieve their objectives such as data exfiltration or establishing a persistent backdoor.
Impact
Successful exploitation allows an admin with change_serversettings permissions to achieve arbitrary OS command execution as the web server user. This can lead to full server compromise, allowing attackers to read all hosted customer data, including database credentials and TLS private keys. Attackers can also use the compromised server for lateral movement, accessing MySQL databases and other internal systems. The injected code persists on every request, providing a persistent backdoor. Malformed PHP can also lead to a denial of service condition, disrupting the entire Froxlor panel. The vulnerability affects Froxlor installations up to and including version 2.3.5.
Recommendation
- Apply the patch provided in the advisory that escapes single quotes in
PhpHelper::parseArrayToString()before interpolating values, specifically by escaping backslashes and then single quotes. - Alternatively, use nowdoc syntax for all string values in
PhpHelper::parseArrayToString()as defense-in-depth to completely prevent injection. - Deploy the Sigma rule
Detect Froxlor MysqlServer API Abuseto identify potential exploitation attempts by monitoring API requests to the/api.phpendpoint. - Enable webserver logging to detect the execution of injected php code, and tune the
Detect Froxlor PHP Code Injection in userdata.inc.phpSigma rule. - Restrict and monitor
change_serversettingspermissions to reduce the attack surface.
Detection coverage 2
Detect Froxlor MysqlServer API Abuse
highDetects suspicious API requests to the Froxlor API endpoint `/api.php` that could indicate abuse of the MysqlServer API to inject PHP code.
Detect Froxlor PHP Code Injection in userdata.inc.php
criticalDetects potential PHP code injection attempts by monitoring file writes to `userdata.inc.php` containing suspicious code patterns.
Detection queries are available on the platform. Get full rules →