{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/zone-file-injection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["high"],"_cs_tags":["froxlor","bind","zone-file-injection","dns"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor, a server management panel, is vulnerable to a BIND zone file injection vulnerability (CVE-2026-30932) affecting versions 2.3.4 and earlier. This vulnerability exists within the \u003ccode\u003eDomainZones.add\u003c/code\u003e API endpoint, accessible to customers with DNS enabled. Due to insufficient validation of the \u003ccode\u003econtent\u003c/code\u003e field for specific DNS record types (LOC, RP, SSHFP, TLSA), attackers can inject arbitrary BIND zone file directives. This injection occurs because the \u003ccode\u003econtent\u003c/code\u003e field is not properly sanitized, as highlighted by a TODO comment in the source code. Successful exploitation can lead to unauthorized file access, DNS service disruptions, and manipulation of zone data. This vulnerability poses a significant risk to Froxlor users as it allows malicious actors to compromise the integrity and availability of DNS services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a Froxlor customer account with DNS management enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to the \u003ccode\u003eDomainZones.add\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe API request includes a DNS record type (LOC, RP, SSHFP, TLSA) and a \u003ccode\u003econtent\u003c/code\u003e field containing injected BIND directives, such as \u003ccode\u003e$INCLUDE /etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Froxlor application writes the unsanitized content directly into the BIND zone file via \u003ccode\u003eDnsEntry::__toString()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe DNS rebuild cron job runs, processing the modified zone file.\u003c/li\u003e\n\u003cli\u003eBIND attempts to parse the injected directives, such as including \u003ccode\u003e/etc/passwd\u003c/code\u003e as zone data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDomainZones.get\u003c/code\u003e API or web UI to view the zone file and extract sensitive information or confirms service disruption.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to information disclosure, DNS service disruption, or zone data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Information disclosure allows attackers to read world-readable files on the server, potentially exposing sensitive data. DNS service disruption can occur if the injected content causes BIND to fail to load the zone, leading to downtime for affected domains. Furthermore, attackers can manipulate zone data by injecting arbitrary DNS records, potentially redirecting traffic or causing other malicious activities. The vulnerability affects Froxlor versions 2.3.4 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Froxlor greater than 2.3.4 to remediate CVE-2026-30932, which addresses the input validation issue.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Froxlor BIND Zone File Injection Attempts\u0026quot; to identify suspicious API requests targeting the \u003ccode\u003eDomainZones.add\u003c/code\u003e endpoint (rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api.php\u003c/code\u003e with \u003ccode\u003ecommand: DomainZones.add\u003c/code\u003e and suspicious characters or BIND directives in the \u003ccode\u003eparams\u003c/code\u003e field to detect exploitation attempts (webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/","summary":"Froxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.","title":"Froxlor BIND Zone File Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Zone-File-Injection","version":"https://jsonfeed.org/version/1.1"}