CVE-2026-30932

HIGH8.8EPSS 0.03%

Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API

發布日:2026/3/24修改日:2026/3/30
也稱為:GHSA-x6w6-2xwp-3jh6

描述

## Summary The `DomainZones.add` API endpoint (accessible to customers with DNS enabled) does not validate the `content` field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. `$INCLUDE`) into the zone file that gets written to disk when the DNS rebuild cron job runs. ## Affected Code `lib/Froxlor/Api/Commands/DomainZones.php`, lines 213-214, 253-254, 290-291, 292-293: ```php } elseif ($type == 'LOC' && !empty($content)) { $content = $content; // no validation } ... } elseif ($type == 'RP' && !empty($content)) { $content = $content; // no validation } ... } elseif ($type == 'SSHFP' && !empty($content)) { $content = $content; // no validation } elseif ($type == 'TLSA' && !empty($content)) { $content = $content; // no validation } ``` There is even a TODO comment at line 148 acknowledging this gap: ```php // TODO regex validate content for invalid characters ``` The content is then written directly into the BIND zone file via `DnsEntry::__toString()` (line 83 of `lib/Froxlor/Dns/DnsEntry.php`): ```php return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL; ``` And the zone file is written to disk in `lib/Froxlor/Cron/Dns/Bind.php` line 121: ```php fwrite($zonefile_handler, $zoneContent . $subzones); ``` ## PoC As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives: ```bash curl -s -u "API_KEY:API_SECRET" \ -H 'Content-Type: application/json' \ -d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \ https://panel.example.com/api.php ``` Alternatively via the web UI, intercept the DNS editor form POST and set `dns_content` to `0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd` and `dns_type` to `LOC`. After the DNS rebuild cron runs, the resulting zone file at `{bindconf_directory}/domains/example.com.zone` will contain: ``` @ 18000 IN LOC 0 0 0 N 0 0 0 E 0 $INCLUDE /etc/passwd ``` BIND will process the `$INCLUDE` directive and attempt to parse `/etc/passwd` as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as `bind`/`named` user), confirming file existence and potentially leaking parseable lines as DNS records. ## Impact 1. **Information Disclosure**: The `$INCLUDE` directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the `DomainZones.get` API call or the DNS editor in the web UI. 2. **DNS Service Disruption**: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting `$GENERATE` directives could create massive record sets for amplification attacks. 3. **Zone Data Manipulation**: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)