<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Zone-File-Injection - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/zone-file-injection/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/zone-file-injection/feed.xml" rel="self" type="application/rss+xml"/><item><title>Froxlor BIND Zone File Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/</guid><description>Froxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.</description><content:encoded><![CDATA[<p>Froxlor, a server management panel, is vulnerable to a BIND zone file injection vulnerability (CVE-2026-30932) affecting versions 2.3.4 and earlier. This vulnerability exists within the <code>DomainZones.add</code> API endpoint, accessible to customers with DNS enabled. Due to insufficient validation of the <code>content</code> field for specific DNS record types (LOC, RP, SSHFP, TLSA), attackers can inject arbitrary BIND zone file directives. This injection occurs because the <code>content</code> field is not properly sanitized, as highlighted by a TODO comment in the source code. Successful exploitation can lead to unauthorized file access, DNS service disruptions, and manipulation of zone data. This vulnerability poses a significant risk to Froxlor users as it allows malicious actors to compromise the integrity and availability of DNS services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a Froxlor customer account with DNS management enabled.</li>
<li>The attacker crafts a malicious API request to the <code>DomainZones.add</code> endpoint.</li>
<li>The API request includes a DNS record type (LOC, RP, SSHFP, TLSA) and a <code>content</code> field containing injected BIND directives, such as <code>$INCLUDE /etc/passwd</code>.</li>
<li>The Froxlor application writes the unsanitized content directly into the BIND zone file via <code>DnsEntry::__toString()</code>.</li>
<li>The DNS rebuild cron job runs, processing the modified zone file.</li>
<li>BIND attempts to parse the injected directives, such as including <code>/etc/passwd</code> as zone data.</li>
<li>The attacker uses the <code>DomainZones.get</code> API or web UI to view the zone file and extract sensitive information or confirms service disruption.</li>
<li>Successful exploitation leads to information disclosure, DNS service disruption, or zone data manipulation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can have significant consequences. Information disclosure allows attackers to read world-readable files on the server, potentially exposing sensitive data. DNS service disruption can occur if the injected content causes BIND to fail to load the zone, leading to downtime for affected domains. Furthermore, attackers can manipulate zone data by injecting arbitrary DNS records, potentially redirecting traffic or causing other malicious activities. The vulnerability affects Froxlor versions 2.3.4 and earlier.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch or upgrade to a version of Froxlor greater than 2.3.4 to remediate CVE-2026-30932, which addresses the input validation issue.</li>
<li>Deploy the Sigma rule &quot;Detect Froxlor BIND Zone File Injection Attempts&quot; to identify suspicious API requests targeting the <code>DomainZones.add</code> endpoint (rules).</li>
<li>Monitor web server logs for POST requests to <code>/api.php</code> with <code>command: DomainZones.add</code> and suspicious characters or BIND directives in the <code>params</code> field to detect exploitation attempts (webserver).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>froxlor</category><category>bind</category><category>zone-file-injection</category><category>dns</category></item></channel></rss>