<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Php-Injection - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/php-injection/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/php-injection/feed.xml" rel="self" type="application/rss+xml"/><item><title>Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/</guid><description>Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.</description><content:encoded><![CDATA[<p>Froxlor versions 2.3.5 and earlier contain a PHP code injection vulnerability in <code>userdata.inc.php</code> due to improper handling of single quotes. An administrator with the <code>change_serversettings</code> permission can inject arbitrary PHP code through the <code>MysqlServer.add</code> or <code>MysqlServer.update</code> API endpoints. The vulnerability exists because the <code>PhpHelper::parseArrayToString()</code> function writes string values into single-quoted PHP string literals without escaping single quotes.  Specifically, the <code>privileged_user</code> parameter, which lacks input validation, is written to <code>lib/userdata.inc.php</code>. Since this file is included on every request via <code>Database::getDB()</code>, a successful exploit results in arbitrary PHP code execution as the web server user. This allows attackers to compromise the server, exfiltrate data, move laterally, establish persistent backdoors, or cause denial of service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator with <code>change_serversettings</code> permission authenticates to the Froxlor API.</li>
<li>The attacker sends a POST request to <code>api.php</code> with the command <code>MysqlServer.add</code> or <code>MysqlServer.update</code>, injecting PHP code into the <code>privileged_user</code> parameter.</li>
<li>The API endpoint <code>lib/Froxlor/Api/Commands/MysqlServer.php</code> processes the request, calling <code>PhpHelper::parseArrayToPhpFile()</code> through <code>generateNewUserData()</code>.</li>
<li><code>PhpHelper::parseArrayToString()</code> at <code>lib/Froxlor/PhpHelper.php</code> formats the injected code without proper escaping, writing it into the 'user' key within an array.</li>
<li>The array is then written to <code>lib/userdata.inc.php</code> using <code>file_put_contents()</code>.</li>
<li>Subsequent HTTP requests to the Froxlor panel trigger <code>Database::getDB()</code> at <code>lib/Froxlor/Database/Database.php</code>.</li>
<li><code>Database::getDB()</code> includes <code>lib/userdata.inc.php</code> using <code>require</code>, resulting in the execution of the injected PHP code.</li>
<li>The injected code executes commands as the web server user, allowing the attacker to achieve their objectives such as data exfiltration or establishing a persistent backdoor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an admin with <code>change_serversettings</code> permissions to achieve arbitrary OS command execution as the web server user. This can lead to full server compromise, allowing attackers to read all hosted customer data, including database credentials and TLS private keys.  Attackers can also use the compromised server for lateral movement, accessing MySQL databases and other internal systems. The injected code persists on every request, providing a persistent backdoor.  Malformed PHP can also lead to a denial of service condition, disrupting the entire Froxlor panel.  The vulnerability affects Froxlor installations up to and including version 2.3.5.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided in the advisory that escapes single quotes in <code>PhpHelper::parseArrayToString()</code> before interpolating values, specifically by escaping backslashes and then single quotes.</li>
<li>Alternatively, use nowdoc syntax for all string values in <code>PhpHelper::parseArrayToString()</code> as defense-in-depth to completely prevent injection.</li>
<li>Deploy the Sigma rule <code>Detect Froxlor MysqlServer API Abuse</code> to identify potential exploitation attempts by monitoring API requests to the <code>/api.php</code> endpoint.</li>
<li>Enable webserver logging to detect the execution of injected php code, and tune the <code>Detect Froxlor PHP Code Injection in userdata.inc.php</code> Sigma rule.</li>
<li>Restrict and monitor <code>change_serversettings</code> permissions to reduce the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>froxlor</category><category>php-injection</category><category>webserver</category></item></channel></rss>