{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/php-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["critical"],"_cs_tags":["froxlor","php-injection","webserver"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor versions 2.3.5 and earlier contain a PHP code injection vulnerability in \u003ccode\u003euserdata.inc.php\u003c/code\u003e due to improper handling of single quotes. An administrator with the \u003ccode\u003echange_serversettings\u003c/code\u003e permission can inject arbitrary PHP code through the \u003ccode\u003eMysqlServer.add\u003c/code\u003e or \u003ccode\u003eMysqlServer.update\u003c/code\u003e API endpoints. The vulnerability exists because the \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e function writes string values into single-quoted PHP string literals without escaping single quotes.  Specifically, the \u003ccode\u003eprivileged_user\u003c/code\u003e parameter, which lacks input validation, is written to \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e. Since this file is included on every request via \u003ccode\u003eDatabase::getDB()\u003c/code\u003e, a successful exploit results in arbitrary PHP code execution as the web server user. This allows attackers to compromise the server, exfiltrate data, move laterally, establish persistent backdoors, or cause denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator with \u003ccode\u003echange_serversettings\u003c/code\u003e permission authenticates to the Froxlor API.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eapi.php\u003c/code\u003e with the command \u003ccode\u003eMysqlServer.add\u003c/code\u003e or \u003ccode\u003eMysqlServer.update\u003c/code\u003e, injecting PHP code into the \u003ccode\u003eprivileged_user\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe API endpoint \u003ccode\u003elib/Froxlor/Api/Commands/MysqlServer.php\u003c/code\u003e processes the request, calling \u003ccode\u003ePhpHelper::parseArrayToPhpFile()\u003c/code\u003e through \u003ccode\u003egenerateNewUserData()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e at \u003ccode\u003elib/Froxlor/PhpHelper.php\u003c/code\u003e formats the injected code without proper escaping, writing it into the 'user' key within an array.\u003c/li\u003e\n\u003cli\u003eThe array is then written to \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSubsequent HTTP requests to the Froxlor panel trigger \u003ccode\u003eDatabase::getDB()\u003c/code\u003e at \u003ccode\u003elib/Froxlor/Database/Database.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDatabase::getDB()\u003c/code\u003e includes \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e using \u003ccode\u003erequire\u003c/code\u003e, resulting in the execution of the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes commands as the web server user, allowing the attacker to achieve their objectives such as data exfiltration or establishing a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an admin with \u003ccode\u003echange_serversettings\u003c/code\u003e permissions to achieve arbitrary OS command execution as the web server user. This can lead to full server compromise, allowing attackers to read all hosted customer data, including database credentials and TLS private keys.  Attackers can also use the compromised server for lateral movement, accessing MySQL databases and other internal systems. The injected code persists on every request, providing a persistent backdoor.  Malformed PHP can also lead to a denial of service condition, disrupting the entire Froxlor panel.  The vulnerability affects Froxlor installations up to and including version 2.3.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in the advisory that escapes single quotes in \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e before interpolating values, specifically by escaping backslashes and then single quotes.\u003c/li\u003e\n\u003cli\u003eAlternatively, use nowdoc syntax for all string values in \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e as defense-in-depth to completely prevent injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Froxlor MysqlServer API Abuse\u003c/code\u003e to identify potential exploitation attempts by monitoring API requests to the \u003ccode\u003e/api.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to detect the execution of injected php code, and tune the \u003ccode\u003eDetect Froxlor PHP Code Injection in userdata.inc.php\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict and monitor \u003ccode\u003echange_serversettings\u003c/code\u003e permissions to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/","summary":"Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.","title":"Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php","url":"https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Php-Injection","version":"https://jsonfeed.org/version/1.1"}