Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs.
Affected Code
lib/Froxlor/Api/Commands/DomainZones.php, lines 213-214, 253-254, 290-291, 292-293:
} elseif ($type == 'LOC' && !empty($content)) {
$content = $content; // no validation
} ...
} elseif ($type == 'RP' && !empty($content)) {
$content = $content; // no validation
} ...
} elseif ($type == 'SSHFP' && !empty($content)) {
$content = $content; // no validation
} elseif ($type == 'TLSA' && !empty($content)) {
$content = $content; // no validation
}There is even a TODO comment at line 148 acknowledging this gap:
// TODO regex validate content for invalid charactersThe content is then written directly into the BIND zone file via DnsEntry::__toString() (line 83 of lib/Froxlor/Dns/DnsEntry.php):
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL;And the zone file is written to disk in lib/Froxlor/Cron/Dns/Bind.php line 121:
fwrite($zonefile_handler, $zoneContent . $subzones);PoC
As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:
curl -s -u "API_KEY:API_SECRET" \
-H 'Content-Type: application/json' \
-d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \
https://panel.example.com/api.phpAlternatively via the web UI, intercept the DNS editor form POST and set dns_content to 0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd and dns_type to LOC.
After the DNS rebuild cron runs, the resulting zone file at {bindconf_directory}/domains/example.com.zone will contain:
@ 18000 IN LOC 0 0 0 N 0 0 0 E 0
$INCLUDE /etc/passwdBIND will process the $INCLUDE directive and attempt to parse /etc/passwd as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as bind/named user), confirming file existence and potentially leaking parseable lines as DNS records.
Impact
- Information Disclosure: The
$INCLUDEdirective lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via theDomainZones.getAPI call or the DNS editor in the web UI. - DNS Service Disruption: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting
$GENERATEdirectives could create massive record sets for amplification attacks. - Zone Data Manipulation: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.
AnalysisAI
Froxlor, a web hosting control panel, contains an injection vulnerability in its DNS zone management API that allows authenticated customers with DNS privileges to inject BIND zone file directives (such as $INCLUDE) through unvalidated content fields in LOC, RP, SSHFP, and TLSA DNS record types. Attackers can leverage this to read arbitrary world-readable files on the server, disrupt DNS services, or inject unauthorized DNS records. A proof-of-concept exploit is publicly available demonstrating file inclusion attacks, and patches have been released by the vendor in version 2.3.5.
Technical ContextAI
This vulnerability affects Froxlor (composer package froxlor/froxlor), a PHP-based web hosting control panel that generates BIND DNS zone files. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically injection into zone files. The affected code in DomainZones.php performs no validation on the content parameter for LOC, RP, SSHFP, and TLSA record types before writing them to BIND zone files through DnsEntry::__toString(). When the DNS rebuild cron executes, these unsanitized values are written directly to zone files using fwrite() in Bind.php. BIND then processes these files, interpreting embedded directives like $INCLUDE as legitimate zone file commands, allowing file system access within the BIND process context and zone data manipulation.
RemediationAI
Upgrade Froxlor to version 2.3.5 or later, which contains the fix implemented in commit b34829262dc32818b37f6a1eabb426d0b277a86b available at https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b. The patch adds proper input validation to prevent newline injection and BIND directive inclusion in DNS record content fields. Until patching is completed, operators can temporarily disable customer access to LOC, RP, SSHFP, and TLSA record creation through API access restrictions or database-level permissions, though this may impact legitimate DNS management functionality. Review existing DNS zones for suspicious content containing newlines or BIND directives through the zone file directory configured in bindconf_directory. Consult the release notes at https://github.com/froxlor/froxlor/releases/tag/2.3.5 for complete upgrade instructions.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same technique Information Disclosure
View allVendor StatusVendor
Debian
Bug #581792| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| open | - | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14964
GHSA-x6w6-2xwp-3jh6