Froxlor v2.0.6 Remote Command Execution (CVE-2023-0315)

Estimated Reading Time: 8 minutes Summary about Froxlor

Froxlor is a web-based server management software for Linux-based operating systems. It is primarily used to manage web hosting environments and allows users to create and manage websites, email accounts, and FTP accounts.

It also provides tools for monitoring server resources and managing backups. Froxlor is written in PHP and uses a MySQL database to store its data. It is open-source software and can be installed on a variety of Linux distributions, including Debian and Ubuntu.

About the vulnerability

Froxlor is suffering from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render.

That will lead to achieving a remote command execution under the user www-data.

In this blog post, we will trace the root cause of the bug and analyze why this issue happened, as well as which controls inside the application prevented us from exploiting this issue directly in other common cases.

Writing Log files

While auditing Froxlor, I came across the following interesting code snippet in lib/Froxlor/FroxlorLogger.php

if (self::$is_initialized == false) { foreach (self::$logtypes as $logger) { switch ($logger) { case ‘syslog’: self::$ml->pushHandler(new SyslogHandler(‘froxlor’, LOG_USER, Logger::DEBUG)); break; case ‘file’: $logger_logfile = Settings::Get(‘logger.logfile’); // is_writable needs an existing file to check if it’s actually writable @touch($logger_logfile); if (empty($logger_logfile) || !is_writable($logger_logfile)) { Settings::Set(‘logger.logfile’,

Read more

Explore the site

More from the blog

Latest News