Froxlor API Local File Inclusion leads to Remote Code Execution
Froxlor is vulnerable to local file inclusion via path traversal in the `def_language` parameter of the API, leading to remote code execution as the web server user.
Froxlor, a server management panel, is vulnerable to a critical remote code execution (RCE) vulnerability due to insufficient validation of the def_language parameter in its API. An authenticated customer can exploit this vulnerability by injecting a path traversal sequence into the def_language setting via the Customers.update API endpoint. The injected path traversal allows an attacker to load and execute arbitrary PHP code outside of the intended language file directory. This vulnerability affects Froxlor versions 2.3.5 and earlier. Successful exploitation allows the attacker to execute arbitrary PHP code as the web server user, potentially leading to full server compromise. This issue stems from inconsistent validation between the web UI and the API, where the API lacks proper sanitization against path traversal.
Attack Chain
- Attacker gains valid customer credentials for a Froxlor panel.
- Attacker uploads a malicious PHP file (e.g.,
evil.lng.php) containing code to execute arbitrary commands, to their web directory via FTP. - Attacker crafts an API request to the
Customers.updateendpoint, setting thedef_languageparameter to a path traversal sequence pointing to the malicious PHP file (e.g.,../../../../../var/customers/webs/customer1/evil). - The Froxlor API stores the tainted
def_languagevalue in the database without proper validation. - Attacker triggers the vulnerability by making another API request (e.g.,
Customers.get). - The
ApiCommand::initLang()function loads the maliciousdef_languagevalue from the database. Language::setLanguage()andLanguage::loadLanguage()functions are called, which construct a file path using the attacker-controlled value and attempts to load a PHP file.- The
requirestatement withinLanguage::loadLanguage()executes the malicious PHP code, granting the attacker RCE as the web server user (e.g., www-data).
Impact
Successful exploitation allows an authenticated customer to execute arbitrary PHP code as the web server user. This can lead to: full server compromise by obtaining database credentials and accessing sensitive information, lateral movement to other customer environments within the shared hosting panel, persistent backdoors by modifying core system files or cron jobs, and data exfiltration, allowing the attacker to steal all hosted databases and email content. The vulnerable API is enabled by default.
Recommendation
- Apply the vendor-supplied patch described in the source URL to remediate the vulnerable API endpoint (https://github.com/advisories/GHSA-w59f-67xm-rxx7).
- Deploy the Sigma rule
Froxlor_Suspicious_DefLanguage_Updateto detect attempts to exploit the vulnerable API endpoint. - Enable web server logging to facilitate detection of API requests with malicious
def_languageparameters. - Monitor the file system for creation of
.lng.phpfiles in customer web directories as part of the attack chain, using the Sigma ruleFroxlor_Malicious_Lng_File_Creation.
Detection coverage 2
Froxlor Suspicious DefLanguage Update
highDetects API requests to Customers.update or Admins.update with suspicious def_language parameters containing path traversal sequences.
Froxlor Malicious Lng File Creation
criticalDetects creation of .lng.php files containing PHP code in customer web directories. Indicates initial stage of the attack.
Detection queries are available on the platform. Get full rules →