<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Froxlor - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/froxlor/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jul 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/froxlor/feed.xml" rel="self" type="application/rss+xml"/><item><title>Froxlor BIND Zone File Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/</link><pubDate>Wed, 03 Jul 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-07-froxlor-bind-injection/</guid><description>Froxlor versions 2.3.4 and earlier are vulnerable to BIND zone file injection, where an attacker can inject newlines and BIND zone file directives via the DomainZones API, potentially leading to information disclosure, DNS service disruption, and zone data manipulation.</description><content:encoded><![CDATA[<p>Froxlor, a server management panel, is vulnerable to a BIND zone file injection vulnerability (CVE-2026-30932) affecting versions 2.3.4 and earlier. This vulnerability exists within the <code>DomainZones.add</code> API endpoint, accessible to customers with DNS enabled. Due to insufficient validation of the <code>content</code> field for specific DNS record types (LOC, RP, SSHFP, TLSA), attackers can inject arbitrary BIND zone file directives. This injection occurs because the <code>content</code> field is not properly sanitized, as highlighted by a TODO comment in the source code. Successful exploitation can lead to unauthorized file access, DNS service disruptions, and manipulation of zone data. This vulnerability poses a significant risk to Froxlor users as it allows malicious actors to compromise the integrity and availability of DNS services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains access to a Froxlor customer account with DNS management enabled.</li>
<li>The attacker crafts a malicious API request to the <code>DomainZones.add</code> endpoint.</li>
<li>The API request includes a DNS record type (LOC, RP, SSHFP, TLSA) and a <code>content</code> field containing injected BIND directives, such as <code>$INCLUDE /etc/passwd</code>.</li>
<li>The Froxlor application writes the unsanitized content directly into the BIND zone file via <code>DnsEntry::__toString()</code>.</li>
<li>The DNS rebuild cron job runs, processing the modified zone file.</li>
<li>BIND attempts to parse the injected directives, such as including <code>/etc/passwd</code> as zone data.</li>
<li>The attacker uses the <code>DomainZones.get</code> API or web UI to view the zone file and extract sensitive information or confirms service disruption.</li>
<li>Successful exploitation leads to information disclosure, DNS service disruption, or zone data manipulation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can have significant consequences. Information disclosure allows attackers to read world-readable files on the server, potentially exposing sensitive data. DNS service disruption can occur if the injected content causes BIND to fail to load the zone, leading to downtime for affected domains. Furthermore, attackers can manipulate zone data by injecting arbitrary DNS records, potentially redirecting traffic or causing other malicious activities. The vulnerability affects Froxlor versions 2.3.4 and earlier.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch or upgrade to a version of Froxlor greater than 2.3.4 to remediate CVE-2026-30932, which addresses the input validation issue.</li>
<li>Deploy the Sigma rule &quot;Detect Froxlor BIND Zone File Injection Attempts&quot; to identify suspicious API requests targeting the <code>DomainZones.add</code> endpoint (rules).</li>
<li>Monitor web server logs for POST requests to <code>/api.php</code> with <code>command: DomainZones.add</code> and suspicious characters or BIND directives in the <code>params</code> field to detect exploitation attempts (webserver).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>froxlor</category><category>bind</category><category>zone-file-injection</category><category>dns</category></item><item><title>Froxlor API Local File Inclusion leads to Remote Code Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-froxlor-rce/</link><pubDate>Fri, 26 Jan 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-froxlor-rce/</guid><description>Froxlor is vulnerable to local file inclusion via path traversal in the `def_language` parameter of the API, leading to remote code execution as the web server user.</description><content:encoded><![CDATA[<p>Froxlor, a server management panel, is vulnerable to a critical remote code execution (RCE) vulnerability due to insufficient validation of the <code>def_language</code> parameter in its API. An authenticated customer can exploit this vulnerability by injecting a path traversal sequence into the <code>def_language</code> setting via the <code>Customers.update</code> API endpoint. The injected path traversal allows an attacker to load and execute arbitrary PHP code outside of the intended language file directory. This vulnerability affects Froxlor versions 2.3.5 and earlier. Successful exploitation allows the attacker to execute arbitrary PHP code as the web server user, potentially leading to full server compromise. This issue stems from inconsistent validation between the web UI and the API, where the API lacks proper sanitization against path traversal.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains valid customer credentials for a Froxlor panel.</li>
<li>Attacker uploads a malicious PHP file (e.g., <code>evil.lng.php</code>) containing code to execute arbitrary commands, to their web directory via FTP.</li>
<li>Attacker crafts an API request to the <code>Customers.update</code> endpoint, setting the <code>def_language</code> parameter to a path traversal sequence pointing to the malicious PHP file (e.g., <code>../../../../../var/customers/webs/customer1/evil</code>).</li>
<li>The Froxlor API stores the tainted <code>def_language</code> value in the database without proper validation.</li>
<li>Attacker triggers the vulnerability by making another API request (e.g., <code>Customers.get</code>).</li>
<li>The <code>ApiCommand::initLang()</code> function loads the malicious <code>def_language</code> value from the database.</li>
<li><code>Language::setLanguage()</code> and <code>Language::loadLanguage()</code> functions are called, which construct a file path using the attacker-controlled value and attempts to load a PHP file.</li>
<li>The <code>require</code> statement within <code>Language::loadLanguage()</code> executes the malicious PHP code, granting the attacker RCE as the web server user (e.g., www-data).</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an authenticated customer to execute arbitrary PHP code as the web server user. This can lead to: full server compromise by obtaining database credentials and accessing sensitive information, lateral movement to other customer environments within the shared hosting panel, persistent backdoors by modifying core system files or cron jobs, and data exfiltration, allowing the attacker to steal all hosted databases and email content. The vulnerable API is enabled by default.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the vendor-supplied patch described in the source URL to remediate the vulnerable API endpoint (<a href="https://github.com/advisories/GHSA-w59f-67xm-rxx7)">https://github.com/advisories/GHSA-w59f-67xm-rxx7)</a>.</li>
<li>Deploy the Sigma rule <code>Froxlor_Suspicious_DefLanguage_Update</code> to detect attempts to exploit the vulnerable API endpoint.</li>
<li>Enable web server logging to facilitate detection of API requests with malicious <code>def_language</code> parameters.</li>
<li>Monitor the file system for creation of <code>.lng.php</code> files in customer web directories as part of the attack chain, using the Sigma rule <code>Froxlor_Malicious_Lng_File_Creation</code>.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>froxlor</category><category>rce</category><category>lfi</category><category>php</category></item><item><title>Froxlor DataDump.add() Incomplete Symlink Validation Allows Arbitrary Directory Ownership Takeover</title><link>https://feed.craftedsignal.io/briefs/2024-01-froxlor-symlink-takeover/</link><pubDate>Mon, 08 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-froxlor-symlink-takeover/</guid><description>Froxlor versions before 2.3.6 are vulnerable to arbitrary directory ownership takeover via the DataDump.add() function due to incomplete symlink validation, allowing attackers to manipulate file ownership via a malicious symlink.</description><content:encoded><![CDATA[<p>Froxlor, a server management panel, is vulnerable to an arbitrary directory ownership takeover in versions prior to 2.3.6. The vulnerability stems from an incomplete fix for CVE-2023-6069 related to symlink validation. Specifically, the <code>DataDump.add()</code> function lacks the <code>$fixed_homedir</code> parameter in its call to <code>FileDir::makeCorrectDir()</code>, which is present in other customer-facing API commands. This oversight allows a malicious customer to create a symlink within their web directory that points to an arbitrary directory on the system. When the <code>ExportCron</code> task runs as root, it executes <code>chown -R</code> on the resolved symlink target, effectively changing the ownership of the target directory and its contents to the attacker's user ID and group ID. This can lead to horizontal and vertical privilege escalation, data breaches, and service disruptions. The vulnerability can be triggered via a single API call, and the impact is delayed until the next cron run (typically hourly).</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker creates a symlink within their web directory (accessible via FTP/SSH) pointing to a target directory (e.g., <code>/var/customers/webs/victim_customer</code> or <code>/etc</code>). For example: <code>ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal</code>.</li>
<li>Attacker crafts an API request to <code>DataDump.add()</code> specifying the path to the created symlink (e.g., <code>&quot;path&quot;:&quot;steal&quot;</code>).</li>
<li>The <code>DataDump.add()</code> function, located in <code>DataDump.php</code>, calls <code>FileDir::makeCorrectDir()</code> without the <code>$fixed_homedir</code> parameter, bypassing symlink validation.</li>
<li>The API call schedules a <code>CREATE_CUSTOMER_DATADUMP</code> task via <code>Cronjob::inserttask()</code>, including the unvalidated path as <code>destdir</code> in the task data.</li>
<li>The <code>ExportCron::handle()</code> function executes periodically as root, processing the scheduled data dump tasks.</li>
<li>The <code>ExportCron</code> executes a series of commands including <code>mkdir -p</code>, <code>tar cfz</code>, and <code>chown -R</code> with the attacker-controlled <code>destdir</code> path.</li>
<li>The <code>chown -R</code> command, executed via <code>FileDir::safe_exec()</code>, resolves the symlink and recursively changes the ownership of the target directory to the attacker's UID and GID.</li>
<li>The attacker now owns the target directory and can modify files, escalate privileges, or disrupt services.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can have severe consequences: A malicious customer can take ownership of other customer's web files, databases, and email data, leading to data breaches. By targeting system directories like <code>/etc</code>, they can gain root access by modifying system files like <code>/etc/passwd</code> and <code>/etc/shadow</code>. This can lead to full system compromise. The attack requires minimal effort and can be difficult to trace due to the delayed impact. Successful exploitation leads to full read/write access to all files in the targeted directory, as well as potential service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided by Froxlor in version 2.3.6, which corrects the call to <code>FileDir::makeCorrectDir()</code> in <code>DataDump.add()</code> to include the <code>$fixed_homedir</code> parameter (see fix in advisory).</li>
<li>Deploy the &quot;Froxlor DataDump API Call with Suspicious Path&quot; Sigma rule to detect API calls to <code>DataDump.add()</code> with potentially malicious paths in web server logs.</li>
<li>Implement the suggested fix in <code>ExportCron.php</code> to check if the destination path is a symlink before executing <code>chown -R</code> (see fix in advisory).</li>
<li>Monitor process creation events for the execution of <code>chown -R</code> by the root user or the user running the Froxlor cron jobs, with a destination path that may indicate a symlink using the &quot;Froxlor Suspicious chown Execution&quot; Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>froxlor</category><category>symlink</category><category>privilege-escalation</category></item><item><title>Froxlor PHP Code Injection via Unescaped Single Quotes in userdata.inc.php</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-froxlor-php-injection/</guid><description>Froxlor is vulnerable to PHP code injection due to unescaped single quotes in the userdata.inc.php generation via the MysqlServer API, where an administrator with `change_serversettings` permission can inject arbitrary PHP code, leading to arbitrary OS command execution as the web server user.</description><content:encoded><![CDATA[<p>Froxlor versions 2.3.5 and earlier contain a PHP code injection vulnerability in <code>userdata.inc.php</code> due to improper handling of single quotes. An administrator with the <code>change_serversettings</code> permission can inject arbitrary PHP code through the <code>MysqlServer.add</code> or <code>MysqlServer.update</code> API endpoints. The vulnerability exists because the <code>PhpHelper::parseArrayToString()</code> function writes string values into single-quoted PHP string literals without escaping single quotes.  Specifically, the <code>privileged_user</code> parameter, which lacks input validation, is written to <code>lib/userdata.inc.php</code>. Since this file is included on every request via <code>Database::getDB()</code>, a successful exploit results in arbitrary PHP code execution as the web server user. This allows attackers to compromise the server, exfiltrate data, move laterally, establish persistent backdoors, or cause denial of service.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An administrator with <code>change_serversettings</code> permission authenticates to the Froxlor API.</li>
<li>The attacker sends a POST request to <code>api.php</code> with the command <code>MysqlServer.add</code> or <code>MysqlServer.update</code>, injecting PHP code into the <code>privileged_user</code> parameter.</li>
<li>The API endpoint <code>lib/Froxlor/Api/Commands/MysqlServer.php</code> processes the request, calling <code>PhpHelper::parseArrayToPhpFile()</code> through <code>generateNewUserData()</code>.</li>
<li><code>PhpHelper::parseArrayToString()</code> at <code>lib/Froxlor/PhpHelper.php</code> formats the injected code without proper escaping, writing it into the 'user' key within an array.</li>
<li>The array is then written to <code>lib/userdata.inc.php</code> using <code>file_put_contents()</code>.</li>
<li>Subsequent HTTP requests to the Froxlor panel trigger <code>Database::getDB()</code> at <code>lib/Froxlor/Database/Database.php</code>.</li>
<li><code>Database::getDB()</code> includes <code>lib/userdata.inc.php</code> using <code>require</code>, resulting in the execution of the injected PHP code.</li>
<li>The injected code executes commands as the web server user, allowing the attacker to achieve their objectives such as data exfiltration or establishing a persistent backdoor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows an admin with <code>change_serversettings</code> permissions to achieve arbitrary OS command execution as the web server user. This can lead to full server compromise, allowing attackers to read all hosted customer data, including database credentials and TLS private keys.  Attackers can also use the compromised server for lateral movement, accessing MySQL databases and other internal systems. The injected code persists on every request, providing a persistent backdoor.  Malformed PHP can also lead to a denial of service condition, disrupting the entire Froxlor panel.  The vulnerability affects Froxlor installations up to and including version 2.3.5.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the patch provided in the advisory that escapes single quotes in <code>PhpHelper::parseArrayToString()</code> before interpolating values, specifically by escaping backslashes and then single quotes.</li>
<li>Alternatively, use nowdoc syntax for all string values in <code>PhpHelper::parseArrayToString()</code> as defense-in-depth to completely prevent injection.</li>
<li>Deploy the Sigma rule <code>Detect Froxlor MysqlServer API Abuse</code> to identify potential exploitation attempts by monitoring API requests to the <code>/api.php</code> endpoint.</li>
<li>Enable webserver logging to detect the execution of injected php code, and tune the <code>Detect Froxlor PHP Code Injection in userdata.inc.php</code> Sigma rule.</li>
<li>Restrict and monitor <code>change_serversettings</code> permissions to reduce the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>froxlor</category><category>php-injection</category><category>webserver</category></item></channel></rss>