Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Summary
Froxlor 2.3.6 lets administrators configure system.available_shells as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests.
As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as /bin/bash even when the panel UI only offers more restricted choices. In deployments that use the default nssextrausers integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access.
Details
The customer-facing FTP account page builds the shell selector from system.available_shells, which shows that the product intends the setting to act as the authorization boundary:
// customer_ftp.php:138-149
$shells = [
'/bin/false' => '/bin/false'
];
$availableshells = explode(',', Settings::Get('system.available_shells'));
if (is_array($availableshells) && !empty($availableshells)) {
foreach ($availableshells as $shell) {
$shells[trim($shell)] = trim($shell);
}
}The request handler forwards posted form data directly into the FTP API command implementation:
// customer_ftp.php:170-172
if ($action == 'edit' && Request::post('send') == 'send') {
$result = $log->logAction(USR_ACTION, LOG_INFO, "edited ftp-account #" . $id);
Commands::get()->apiCall('Ftps.update', Request::postAll());
}On the server side, Ftps::add() and Ftps::update() only perform generic shell string validation. They do not verify that the submitted shell belongs to system.available_shells:
// lib/Froxlor/Api/Commands/Ftps.php:119-123
if (Settings::Get('system.allow_customer_shell') == '1' && $this->getUserDetail('shell_allowed') == '1') {
$shell = Validate::validate(trim($shell), 'shell', '', '', [], true);
} else {
$shell = '/bin/false';
}The validated shell is stored into ftp_users.shell and later consumed by the root-owned cron task that rebuilds NSS extrausers files:
// lib/Froxlor/Cron/System/Extrausers.php:89-97
$passwd_entries[] = $user['username'] . ':x:' . $uid . ':' . $gid . ':' . $gecos . ':' . $homedir . ':' . $shell;Because the default installer configuration sets system.nssextrausers=1, and the shipped Debian/Bookworm configuration enables extrausers in nsswitch.conf, the attacker-controlled shell becomes the effective login shell of the generated system user on standard supported deployments.
PoC
An attacker needs a normal customer account and a deployment where customer shell delegation is enabled for that customer.
Relevant runtime prerequisites:
system.allow_customer_shell=1- the attacking customer has
shell_allowed=1 - the deployment uses
system.nssextrausers=1with the shippedlibnss-extrausersintegration
Froxlor requires a valid CSRF token for POST requests, so the attacker performs the exploit from an authenticated session.
Complete PoC flow:
- Log in as a customer and obtain a valid
csrf_token. - Identify one FTP account owned by that customer.
- Submit an edit request that sets an arbitrary shell outside the administrator-approved
system.available_shellslist:
POST /customer_ftp.php?page=accounts&action=edit&id=17 HTTP/1.1
Host: target.example
Content-Type: application/x-www-form-urlencoded
Cookie: <authenticated customer session>
csrf_token=VALID_CSRF_TOKEN&
send=send&
id=17&
username=test1ftp1&
ftp_description=poc&
path=/&
shell=/bin/bash&
login_enabled=1- Wait for Froxlor's master cron to process the queued
REBUILD_NSSUSERStask.
Result:
- the request is accepted even if
/bin/bashis not present insystem.available_shells ftp_users.shellis updated to/bin/bash/var/lib/extrausers/passwdis regenerated with/bin/bashas the FTP user's login shell- the attacker can then authenticate to the host using that FTP user's credentials and obtain an interactive shell
Impact
This issue lets a low-privileged customer bypass an administrator-defined authorization boundary and promote an FTP-only account into a real shell account. On shared-hosting systems managed by Froxlor, that materially changes the trust model and can expose the host to lateral movement, local privilege-escalation follow-on attacks, data theft from colocated services, and persistence on the server.
Because the vulnerable flow is executed through the normal authenticated web interface and a root-owned provisioning task later materializes the chosen shell at the operating-system level, the vulnerability is stronger than a UI-only restriction bypass.
AnalysisAI
Authorization bypass in Froxlor 2.3.6 allows an authenticated low-privileged customer with shell delegation enabled to assign an arbitrary login shell (e.g., /bin/bash) to an FTP account, escaping the administrator-defined system.available_shells whitelist. On default Debian-based deployments using nssextrausers, a root-owned cron job propagates the attacker-chosen shell into /var/lib/extrausers/passwd, converting the FTP-only account into an interactive host shell account. Publicly available exploit code exists (POC published in the GHSA advisory); no public exploit identified at time of analysis as being actively used in the wild.
Technical ContextAI
Froxlor is a PHP-based open-source server management/hosting control panel commonly deployed on Debian for shared-hosting environments. The defect is a CWE-863 incorrect authorization issue: customer_ftp.php builds the UI shell selector from the Settings::Get('system.available_shells') whitelist, but the server-side Ftps::add() and Ftps::update() API handlers in lib/Froxlor/Api/Commands/Ftps.php only invoke Validate::validate($shell, 'shell', ...) - a generic format check - without comparing the submitted shell against that whitelist. The stored value in ftp_users.shell is then consumed verbatim by lib/Froxlor/Cron/System/Extrausers.php, which writes it as the seventh field of a passwd line in /var/lib/extrausers/passwd. Because the default installer enables system.nssextrausers=1 and the shipped nsswitch.conf routes account lookups through libnss-extrausers, the chosen shell becomes the effective login shell at the OS layer. CPE: pkg:composer/froxlor_froxlor.
RemediationAI
Vendor-released patch: upgrade Froxlor to 2.3.7 or later, which adds explicit enforcement that the submitted shell exists in system.available_shells inside Ftps.add/update (see release notes at https://github.com/froxlor/froxlor/releases/tag/2.3.7 and advisory https://github.com/froxlor/froxlor/security/advisories/GHSA-gcv3-5v9q-fmhh). If immediate upgrade is not possible, set system.allow_customer_shell=0 globally or disable shell_allowed on every customer account so the API path forces /bin/false (this removes the customer-facing feature of choosing shells, which is the intended workaround trade-off). As an additional compensating control on Debian deployments, disabling system.nssextrausers and removing extrausers from nsswitch.conf prevents the panel-stored shell from being materialized into the OS passwd database, but this breaks Froxlor's intended NSS-based FTP user provisioning and should be considered only as a stopgap. Also audit ftp_users.shell for values outside the configured available_shells whitelist and reset any unexpected entries to /bin/false before applying the patch.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-863 – Incorrect Authorization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34314
GHSA-gcv3-5v9q-fmhh