Listen to this Post
CVE-2026-30932 affects froxlor’s DNS record handling in DomainZones.php. Before the patch, LOC, RP, SSHFP, and TLSA records had zero validation – any content was accepted and directly concatenated into bind9 zone files via DnsEntry.php line 83. An authenticated attacker with DNS management permissions could inject newlines, generating arbitrary DNS records. The patch introduced format‑specific validators, but two critical gaps remain. First, the LOC validator uses regex `\s+` to match whitespace. In PHP’s PCRE engine, `\s+` includes newlines (0x0A, 0x0D). Therefore a malicious LOC record like `”51 28 38 N 0 0 1\nW\n10m”` passes validation but produces three separate lines in the zone file, enabling injection of extra A, CNAME, or `MX` records. Second, the TLSA validator for `matchingType=0` only checks `len(data) >= 2` with no upper bound. An attacker can supply a hex payload of 100,000+ characters, turning the zone file into an amplification vector or data exfiltration channel. Third, all validators return raw input without any zone‑file escaping. Even when validation succeeds, content is inserted verbatim, so any newline or special character not explicitly blocked becomes an injection primitive. The PoC demonstrates SSHFP injection bypassing the fixed version via newline placement, LOC newline bypass across multiple templates, and a 50,000‑byte TLSA payload that passes validation. The root cause is treating validation and output encoding as separate concerns – validation accepts dangerous characters, and output encoding is absent.
DailyCVE Form:
Platform: froxlor
Version: before b3482926
Vulnerability : DNS zone injection
Severity: Medium
date: 2026-05-29
Prediction: 2026-06-15
What Undercode Say:
git clone https://github.com/froxlor/froxlor /tmp/froxlor_test cd /tmp/froxlor_test && git checkout b34829262dc3~1 python3 poc.py Expected: "VULNERABILITY CONFIRMED" with injected A record 6.6.6.6 LOC newline bypass: injects extra zone lines TLSA unbounded payload: 100000+ hex chars accepted
Exploit:
Authenticated user crafts LOC record with embedded newlines: "51 28 38 N 0 0 1\nW\n10m\nexample.com.\t300\tIN\tA\t1.2.3.4". Passes LOC validation, writes three zone lines. TLSA injection: `”3 1 0 ” + “aa”50000` passes `matchingType=0` check (only len>=2), adds huge blob to zone file. No escaping – newlines, tabs, and shell metacharacters reach bind9.
Protection:
Replace `\s+` with `[ \t]+` in LOC regex. Enforce maximum length for TLSA `matchingType=0` (e.g., ≤1024 hex chars). Apply output escaping: reject or escape newlines, carriage returns, and tabs before writing to zone file. Use `addslashes` or dedicated DNS zone file encoder.
Impact:
Domain hijacking (inject malicious A/CNAME records). Phishing via subdomain takeover. DNS amplification – oversized TLSA records increase zone file size, stressing bind9 and network links. Data exfiltration – encoded data inside TLSA hex payload. Complete compromise of DNS resolution for affected zones.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

