{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/froxlor/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["high"],"_cs_tags":["froxlor","bind","zone-file-injection","dns"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor, a server management panel, is vulnerable to a BIND zone file injection vulnerability (CVE-2026-30932) affecting versions 2.3.4 and earlier. This vulnerability exists within the \u003ccode\u003eDomainZones.add\u003c/code\u003e API endpoint, accessible to customers with DNS enabled. Due to insufficient validation of the \u003ccode\u003econtent\u003c/code\u003e field for specific DNS record types (LOC, RP, SSHFP, TLSA), attackers can inject arbitrary BIND zone file directives. This injection occurs because the \u003ccode\u003econtent\u003c/code\u003e field is not properly sanitized, as highlighted by a TODO comment in the source code. Successful exploitation can lead to unauthorized file access, DNS service disruptions, and manipulation of zone data. This vulnerability poses a significant risk to Froxlor users as it allows malicious actors to compromise the integrity and availability of DNS services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a Froxlor customer account with DNS management enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious API request to the \u003ccode\u003eDomainZones.add\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe API request includes a DNS record type (LOC, RP, SSHFP, TLSA) and a \u003ccode\u003econtent\u003c/code\u003e field containing injected BIND directives, such as \u003ccode\u003e$INCLUDE /etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Froxlor application writes the unsanitized content directly into the BIND zone file via \u003ccode\u003eDnsEntry::__toString()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe DNS rebuild cron job runs, processing the modified zone file.\u003c/li\u003e\n\u003cli\u003eBIND attempts to parse the injected directives, such as including \u003ccode\u003e/etc/passwd\u003c/code\u003e as zone data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eDomainZones.get\u003c/code\u003e API or web UI to view the zone file and extract sensitive information or confirms service disruption.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to information disclosure, DNS service disruption, or zone data manipulation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. Information disclosure allows attackers to read world-readable files on the server, potentially exposing sensitive data. DNS service disruption can occur if the injected content causes BIND to fail to load the zone, leading to downtime for affected domains. Furthermore, attackers can manipulate zone data by injecting arbitrary DNS records, potentially redirecting traffic or causing other malicious activities. The vulnerability affects Froxlor versions 2.3.4 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Froxlor greater than 2.3.4 to remediate CVE-2026-30932, which addresses the input validation issue.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Froxlor BIND Zone File Injection Attempts\u0026quot; to identify suspicious API requests targeting the \u003ccode\u003eDomainZones.add\u003c/code\u003e endpoint (rules).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/api.php\u003c/code\u003e with \u003ccode\u003ecommand: DomainZones.add\u003c/code\u003e and suspicious characters or BIND directives in the \u003ccode\u003eparams\u003c/code\u003e field to detect exploitation attempts (webserver).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/","summary":"Froxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.","title":"Froxlor BIND Zone File Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["critical"],"_cs_tags":["froxlor","rce","lfi","php"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor, a server management panel, is vulnerable to a critical remote code execution (RCE) vulnerability due to insufficient validation of the \u003ccode\u003edef_language\u003c/code\u003e parameter in its API. An authenticated customer can exploit this vulnerability by injecting a path traversal sequence into the \u003ccode\u003edef_language\u003c/code\u003e setting via the \u003ccode\u003eCustomers.update\u003c/code\u003e API endpoint. The injected path traversal allows an attacker to load and execute arbitrary PHP code outside of the intended language file directory. This vulnerability affects Froxlor versions 2.3.5 and earlier. Successful exploitation allows the attacker to execute arbitrary PHP code as the web server user, potentially leading to full server compromise. This issue stems from inconsistent validation between the web UI and the API, where the API lacks proper sanitization against path traversal.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains valid customer credentials for a Froxlor panel.\u003c/li\u003e\n\u003cli\u003eAttacker uploads a malicious PHP file (e.g., \u003ccode\u003eevil.lng.php\u003c/code\u003e) containing code to execute arbitrary commands, to their web directory via FTP.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an API request to the \u003ccode\u003eCustomers.update\u003c/code\u003e endpoint, setting the \u003ccode\u003edef_language\u003c/code\u003e parameter to a path traversal sequence pointing to the malicious PHP file (e.g., \u003ccode\u003e../../../../../var/customers/webs/customer1/evil\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Froxlor API stores the tainted \u003ccode\u003edef_language\u003c/code\u003e value in the database without proper validation.\u003c/li\u003e\n\u003cli\u003eAttacker triggers the vulnerability by making another API request (e.g., \u003ccode\u003eCustomers.get\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eApiCommand::initLang()\u003c/code\u003e function loads the malicious \u003ccode\u003edef_language\u003c/code\u003e value from the database.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLanguage::setLanguage()\u003c/code\u003e and \u003ccode\u003eLanguage::loadLanguage()\u003c/code\u003e functions are called, which construct a file path using the attacker-controlled value and attempts to load a PHP file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequire\u003c/code\u003e statement within \u003ccode\u003eLanguage::loadLanguage()\u003c/code\u003e executes the malicious PHP code, granting the attacker RCE as the web server user (e.g., www-data).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an authenticated customer to execute arbitrary PHP code as the web server user. This can lead to: full server compromise by obtaining database credentials and accessing sensitive information, lateral movement to other customer environments within the shared hosting panel, persistent backdoors by modifying core system files or cron jobs, and data exfiltration, allowing the attacker to steal all hosted databases and email content. The vulnerable API is enabled by default.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-supplied patch described in the source URL to remediate the vulnerable API endpoint (\u003ca href=\"https://github.com/advisories/GHSA-w59f-67xm-rxx7)\"\u003ehttps://github.com/advisories/GHSA-w59f-67xm-rxx7)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eFroxlor_Suspicious_DefLanguage_Update\u003c/code\u003e to detect attempts to exploit the vulnerable API endpoint.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to facilitate detection of API requests with malicious \u003ccode\u003edef_language\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor the file system for creation of \u003ccode\u003e.lng.php\u003c/code\u003e files in customer web directories as part of the attack chain, using the Sigma rule \u003ccode\u003eFroxlor_Malicious_Lng_File_Creation\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-froxlor-rce/","summary":"Froxlor is vulnerable to local file inclusion via path traversal in the `def_language` parameter of the API, leading to remote code execution as the web server user.","title":"Froxlor API Local File Inclusion leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-26-froxlor-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2023-6069"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["critical"],"_cs_tags":["froxlor","symlink","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor, a server management panel, is vulnerable to an arbitrary directory ownership takeover in versions prior to 2.3.6. The vulnerability stems from an incomplete fix for CVE-2023-6069 related to symlink validation. Specifically, the \u003ccode\u003eDataDump.add()\u003c/code\u003e function lacks the \u003ccode\u003e$fixed_homedir\u003c/code\u003e parameter in its call to \u003ccode\u003eFileDir::makeCorrectDir()\u003c/code\u003e, which is present in other customer-facing API commands. This oversight allows a malicious customer to create a symlink within their web directory that points to an arbitrary directory on the system. When the \u003ccode\u003eExportCron\u003c/code\u003e task runs as root, it executes \u003ccode\u003echown -R\u003c/code\u003e on the resolved symlink target, effectively changing the ownership of the target directory and its contents to the attacker's user ID and group ID. This can lead to horizontal and vertical privilege escalation, data breaches, and service disruptions. The vulnerability can be triggered via a single API call, and the impact is delayed until the next cron run (typically hourly).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a symlink within their web directory (accessible via FTP/SSH) pointing to a target directory (e.g., \u003ccode\u003e/var/customers/webs/victim_customer\u003c/code\u003e or \u003ccode\u003e/etc\u003c/code\u003e). For example: \u003ccode\u003eln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker crafts an API request to \u003ccode\u003eDataDump.add()\u003c/code\u003e specifying the path to the created symlink (e.g., \u003ccode\u003e\u0026quot;path\u0026quot;:\u0026quot;steal\u0026quot;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDataDump.add()\u003c/code\u003e function, located in \u003ccode\u003eDataDump.php\u003c/code\u003e, calls \u003ccode\u003eFileDir::makeCorrectDir()\u003c/code\u003e without the \u003ccode\u003e$fixed_homedir\u003c/code\u003e parameter, bypassing symlink validation.\u003c/li\u003e\n\u003cli\u003eThe API call schedules a \u003ccode\u003eCREATE_CUSTOMER_DATADUMP\u003c/code\u003e task via \u003ccode\u003eCronjob::inserttask()\u003c/code\u003e, including the unvalidated path as \u003ccode\u003edestdir\u003c/code\u003e in the task data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExportCron::handle()\u003c/code\u003e function executes periodically as root, processing the scheduled data dump tasks.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eExportCron\u003c/code\u003e executes a series of commands including \u003ccode\u003emkdir -p\u003c/code\u003e, \u003ccode\u003etar cfz\u003c/code\u003e, and \u003ccode\u003echown -R\u003c/code\u003e with the attacker-controlled \u003ccode\u003edestdir\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echown -R\u003c/code\u003e command, executed via \u003ccode\u003eFileDir::safe_exec()\u003c/code\u003e, resolves the symlink and recursively changes the ownership of the target directory to the attacker's UID and GID.\u003c/li\u003e\n\u003cli\u003eThe attacker now owns the target directory and can modify files, escalate privileges, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability can have severe consequences: A malicious customer can take ownership of other customer's web files, databases, and email data, leading to data breaches. By targeting system directories like \u003ccode\u003e/etc\u003c/code\u003e, they can gain root access by modifying system files like \u003ccode\u003e/etc/passwd\u003c/code\u003e and \u003ccode\u003e/etc/shadow\u003c/code\u003e. This can lead to full system compromise. The attack requires minimal effort and can be difficult to trace due to the delayed impact. Successful exploitation leads to full read/write access to all files in the targeted directory, as well as potential service disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by Froxlor in version 2.3.6, which corrects the call to \u003ccode\u003eFileDir::makeCorrectDir()\u003c/code\u003e in \u003ccode\u003eDataDump.add()\u003c/code\u003e to include the \u003ccode\u003e$fixed_homedir\u003c/code\u003e parameter (see fix in advisory).\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026quot;Froxlor DataDump API Call with Suspicious Path\u0026quot; Sigma rule to detect API calls to \u003ccode\u003eDataDump.add()\u003c/code\u003e with potentially malicious paths in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement the suggested fix in \u003ccode\u003eExportCron.php\u003c/code\u003e to check if the destination path is a symlink before executing \u003ccode\u003echown -R\u003c/code\u003e (see fix in advisory).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003echown -R\u003c/code\u003e by the root user or the user running the Froxlor cron jobs, with a destination path that may indicate a symlink using the \u0026quot;Froxlor Suspicious chown Execution\u0026quot; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-08T12:00:00Z","date_published":"2024-01-08T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-froxlor-symlink-takeover/","summary":"Froxlor versions before 2.3.6 are vulnerable to arbitrary directory ownership takeover via the DataDump.add() function due to incomplete symlink validation, allowing attackers to manipulate file ownership via a malicious symlink.","title":"Froxlor DataDump.add() Incomplete Symlink Validation Allows Arbitrary Directory Ownership Takeover","url":"https://feed.craftedsignal.io/briefs/2024-01-froxlor-symlink-takeover/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Froxlor"],"_cs_severities":["critical"],"_cs_tags":["froxlor","php-injection","webserver"],"_cs_type":"advisory","_cs_vendors":["Froxlor"],"content_html":"\u003cp\u003eFroxlor versions 2.3.5 and earlier contain a PHP code injection vulnerability in \u003ccode\u003euserdata.inc.php\u003c/code\u003e due to improper handling of single quotes. An administrator with the \u003ccode\u003echange_serversettings\u003c/code\u003e permission can inject arbitrary PHP code through the \u003ccode\u003eMysqlServer.add\u003c/code\u003e or \u003ccode\u003eMysqlServer.update\u003c/code\u003e API endpoints. The vulnerability exists because the \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e function writes string values into single-quoted PHP string literals without escaping single quotes.  Specifically, the \u003ccode\u003eprivileged_user\u003c/code\u003e parameter, which lacks input validation, is written to \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e. Since this file is included on every request via \u003ccode\u003eDatabase::getDB()\u003c/code\u003e, a successful exploit results in arbitrary PHP code execution as the web server user. This allows attackers to compromise the server, exfiltrate data, move laterally, establish persistent backdoors, or cause denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn administrator with \u003ccode\u003echange_serversettings\u003c/code\u003e permission authenticates to the Froxlor API.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to \u003ccode\u003eapi.php\u003c/code\u003e with the command \u003ccode\u003eMysqlServer.add\u003c/code\u003e or \u003ccode\u003eMysqlServer.update\u003c/code\u003e, injecting PHP code into the \u003ccode\u003eprivileged_user\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe API endpoint \u003ccode\u003elib/Froxlor/Api/Commands/MysqlServer.php\u003c/code\u003e processes the request, calling \u003ccode\u003ePhpHelper::parseArrayToPhpFile()\u003c/code\u003e through \u003ccode\u003egenerateNewUserData()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e at \u003ccode\u003elib/Froxlor/PhpHelper.php\u003c/code\u003e formats the injected code without proper escaping, writing it into the 'user' key within an array.\u003c/li\u003e\n\u003cli\u003eThe array is then written to \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e using \u003ccode\u003efile_put_contents()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSubsequent HTTP requests to the Froxlor panel trigger \u003ccode\u003eDatabase::getDB()\u003c/code\u003e at \u003ccode\u003elib/Froxlor/Database/Database.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eDatabase::getDB()\u003c/code\u003e includes \u003ccode\u003elib/userdata.inc.php\u003c/code\u003e using \u003ccode\u003erequire\u003c/code\u003e, resulting in the execution of the injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe injected code executes commands as the web server user, allowing the attacker to achieve their objectives such as data exfiltration or establishing a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an admin with \u003ccode\u003echange_serversettings\u003c/code\u003e permissions to achieve arbitrary OS command execution as the web server user. This can lead to full server compromise, allowing attackers to read all hosted customer data, including database credentials and TLS private keys.  Attackers can also use the compromised server for lateral movement, accessing MySQL databases and other internal systems. The injected code persists on every request, providing a persistent backdoor.  Malformed PHP can also lead to a denial of service condition, disrupting the entire Froxlor panel.  The vulnerability affects Froxlor installations up to and including version 2.3.5.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided in the advisory that escapes single quotes in \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e before interpolating values, specifically by escaping backslashes and then single quotes.\u003c/li\u003e\n\u003cli\u003eAlternatively, use nowdoc syntax for all string values in \u003ccode\u003ePhpHelper::parseArrayToString()\u003c/code\u003e as defense-in-depth to completely prevent injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Froxlor MysqlServer API Abuse\u003c/code\u003e to identify potential exploitation attempts by monitoring API requests to the \u003ccode\u003e/api.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to detect the execution of injected php code, and tune the \u003ccode\u003eDetect Froxlor PHP Code Injection in userdata.inc.php\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eRestrict and monitor \u003ccode\u003echange_serversettings\u003c/code\u003e permissions to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/","summary":"Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.","title":"Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php","url":"https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Froxlor","version":"https://jsonfeed.org/version/1.1"}