Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against the list of available language files. An authenticated customer can set `def_language` to a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`), which is stored in the database. On subsequent requests, `Language::loadLanguage()` constructs a file path using this value and executes it via `require`, achieving arbitrary PHP code execution as the web server user. Version 2.3.6 fixes the issue.
The API endpoint `Customers.update` (and `Admins.update`) does not validate the `def_language` parameter against a list of available language files. An authenticated user can pass a path traversal payload (e.g., `../../../../../var/customers/webs/customer1/evil`) as the value of this parameter, which is then stored in the database. On subsequent requests, the `Language::loadLanguage()` function constructs the file path based on this value and executes it with the `require` instruction, leading to arbitrary PHP code execution as the web server process user.
An attacker can execute arbitrary PHP code on the server with the privileges of the web server user, which in practice means complete takeover of the application, access to customer data, and potential lateral movement in the hosting infrastructure.
Froxlor should be updated to version 2.3.6, which introduces validation of the `def_language` parameter against a list of available language files. The patch is available in the manufacturer's GitHub repository (commit bc5e6dbaa90e6f3573129da640595e8c770e1d0c) and in release 2.3.6.
Froxlor in all versions before 2.3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HFroxlor
APPFroxlor< 2.3.6
Related vulnerabilities
Froxlor: wstrzyknięcie kodu PHP przez nieskonfigurowany parametr MySQL
RCE z uprawnieniami root w Froxlor przez błąd walidacji pól e-mail
Improper Link Resolution Before File Access in GitHub repository froxlor/froxlor prior to 2.1.0.
Improper Restriction of Excessive Authentication Attempts in GitHub repository froxlor/froxlor prior to 2.0.20...
Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.