GHSA-Q4RM-M6XH-5PV7
Vulnerability from github – Published: 2026-07-02 19:23 – Updated: 2026-07-02 19:23Summary
The Mysqls.add API command (lib/Froxlor/Api/Commands/Mysqls.php) accepts a customer-controlled mysql_server parameter and only validates that the value is numeric and that the server index exists in userdata.inc.php. It never checks the value against the calling customer's allowed_mysqlserver allowlist. A customer can therefore create a database, plus a MySQL user with a password they choose, on any MySQL server the operator has configured — including servers that were explicitly excluded from that customer (e.g. a separate cluster, premium-tier host, or another tenant pool). The same allowed_mysqlserver check is correctly enforced in MysqlServer::get() / MysqlServer::listing() and in the customer-facing UI (customer_mysql.php), confirming the omission is a bug, not by-design.
Details
Vulnerable code path — lib/Froxlor/Api/Commands/Mysqls.php:69-99 (add()):
public function add()
{
if (($this->getUserDetail('mysqls_used') < $this->getUserDetail('mysqls') || ...) {
...
$customer = $this->getCustomerData('mysqls'); // line 80
$dbserver = $this->getParam('mysql_server', true, // line 81 — user-controlled
$this->getDefaultMySqlServer($customer));
...
$dbserver = Validate::validate($dbserver, ..., '/^[0-9]+$/', ...); // line 92 — numeric only
Database::needRoot(true, $dbserver, false); // line 93 — root ctx for ANY index
Database::needSqlData();
$sql_root = Database::getSqlData();
Database::needRoot(false);
if (!is_array($sql_root)) { // line 97 — only existence check
throw new Exception("Database server with index #" . $dbserver . " is unknown", 404);
}
...
$username = $dbm->createDatabase($newdb_params['loginname'], $password,
$dbserver, ...); // line 116/118 — DB+user created
...
Database::pexecute($stmt, ["customerid"=>$customer['customerid'], ..., "dbserver"=>$dbserver], ...);
}
}
The $customer['allowed_mysqlserver'] field IS read on line 80 but is only consumed by getDefaultMySqlServer() (lines 566-573) to compute a default when the request omits mysql_server. As soon as the client supplies the parameter, the default path is skipped and no further authorization gate runs.
Cross-file evidence the check is intended elsewhere:
lib/Froxlor/Api/Commands/MysqlServer.php:319-323—get()rejects with HTTP 405 when$dbserveris not inallowed_mysqlserver:php if ($this->isAdmin() == false) { $allowed_mysqls = json_decode($this->getUserDetail('allowed_mysqlserver'), true); if ($allowed_mysqls === false || empty($allowed_mysqls) || !in_array($dbserver, $allowed_mysqls)) { throw new Exception("You cannot access this resource", 405); } ... }lib/Froxlor/Api/Commands/MysqlServer.php:252-257— same allowlist filter onlisting().customer_mysql.php:222— UI rejects withResponse::dynamicError('No permission')whenempty($allowed_mysqlservers).
Chain of execution (attacker → impact):
- Customer authenticates to
api.phpwith apikey/secret. The only API gate iscust_api_allowed;allowed_mysqlserveris not consulted at auth time. - Customer sends JSON
{"command":"Mysqls.add","params":{"mysql_password":"<valid>","mysql_server":<disallowed_idx>}}. Mysqls.php:71quota check passes (mysqls_used < mysqls).Mysqls.php:80getCustomerData('mysqls')returns the caller's own row.Mysqls.php:81$dbserveris set from the request (default-fallback path skipped).Mysqls.php:92numeric regex passes.Mysqls.php:93-99Database::needRoot(true, $dbserver, false)switches to the root context of the attacker-chosen server; existence check passes.Mysqls.php:116/118DbManager::createDatabase(...)runs against the disallowed server using stored root credentials, creating the DB and granting the supplied password to<loginname>_<sqlN>(DbManager.php:177-218).Mysqls.php:127-141inserts a row intoTABLE_PANEL_DATABASESwith the attacker'scustomeridand the disalloweddbserver, allowing later management viaMysqls.get/update/delete(which only filter bycustomeridfor non-admins, e.g.Mysqls.php:282).
PoC
Preconditions on the target instance:
- ≥2 MySQL servers configured in lib/userdata.inc.php (e.g. index 0 default, index 1 internal/premium).
- Customer X with allowed_mysqlserver=[0], cust_api_allowed=1, mysqls > 0, and an issued API key (apikey:secret).
Request — customer creates a database on server 1, which is not in their allowlist:
curl -k -u 'CUST_APIKEY:CUST_SECRET' \
-H 'Content-Type: application/json' \
-X POST \
-d '{"command":"Mysqls.add","params":{"mysql_password":"ValidP@ssw0rd!","mysql_server":1}}' \
https://froxlor.example.com/api.php
Expected (mirroring MysqlServer.get() behaviour): HTTP 405 — "You cannot access this resource".
Actual: HTTP 200 with the full database record, e.g.:
{"data":{"id":42,"customerid":<cust_id>,"databasename":"<loginname>_sql1","dbserver":1,...}}
Verify the credentials work on the forbidden server:
mysql -h server1.host -u <loginname>_sql1 -p # password: ValidP@ssw0rd!
mysql> SHOW DATABASES; # the new DB is present
mysql> USE <loginname>_sql1; # full access to the newly-created DB
The customer can subsequently manage the DB via Mysqls.get, Mysqls.update, and Mysqls.delete — those non-admin code paths filter only by customerid (Mysqls.php:282-289, Mysqls.php:380-391), which matches.
Impact
- Bypass of the per-customer MySQL-server allowlist (
allowed_mysqlserver) enforced by the admin/reseller. The authorization model is fully defeated for theaddoperation. - The customer obtains valid MySQL credentials on a server the operator explicitly excluded for them — possibly an internal/separate cluster, billing tier, premium-only host, or a server provisioned for a different tenant pool.
- The customer can persist a DB on the forbidden server (resource and policy bypass), then read/write data there, and continue to manage it through
Mysqls.update/Mysqls.delete. - Impact is bounded: privileges granted by
DbManager::grantPrivilegesToapply only to the new<loginname>_sqlNdatabase, so no cross-tenant data exposure on the forbidden server. The damage is policy bypass, resource consumption on the forbidden server, and credential persistence there.
Recommended Fix
Mirror the allowlist check already present in MysqlServer::get(). After the numeric validation on Mysqls.php:92, before Database::needRoot(...), add for non-admin callers:
// validate whether the dbserver exists
$dbserver = Validate::validate($dbserver, html_entity_decode(lng('mysql.mysql_server')), '/^[0-9]+$/', '', 0, true);
// enforce per-customer allowed_mysqlserver allowlist (parity with MysqlServer::get())
if (!$this->isAdmin()) {
$allowed = json_decode($customer['allowed_mysqlserver'] ?? '[]', true);
if (!is_array($allowed) || empty($allowed)
|| !in_array((int)$dbserver, array_map('intval', $allowed), true)) {
throw new Exception('You cannot access this resource', 405);
}
}
Database::needRoot(true, $dbserver, false);
Audit Mysqls::update(), Mysqls::delete(), and Mysqls::get() for the same gap: those endpoints accept mysql_server and ultimately call Database::needRoot(true, $result['dbserver'], false) on the row's stored value. Once the row exists with a forbidden dbserver, those paths execute against the forbidden server unchallenged. Consider rejecting any non-admin operation whose target row's dbserver is outside allowed_mysqlserver, even if the row already exists, to defend in depth.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.3.6"
},
"package": {
"ecosystem": "Packagist",
"name": "froxlor/froxlor"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T19:23:49Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe `Mysqls.add` API command (`lib/Froxlor/Api/Commands/Mysqls.php`) accepts a customer-controlled `mysql_server` parameter and only validates that the value is numeric and that the server index exists in `userdata.inc.php`. It never checks the value against the calling customer\u0027s `allowed_mysqlserver` allowlist. A customer can therefore create a database, plus a MySQL user with a password they choose, on any MySQL server the operator has configured \u2014 including servers that were explicitly excluded from that customer (e.g. a separate cluster, premium-tier host, or another tenant pool). The same `allowed_mysqlserver` check is correctly enforced in `MysqlServer::get()` / `MysqlServer::listing()` and in the customer-facing UI (`customer_mysql.php`), confirming the omission is a bug, not by-design.\n\n## Details\n\n**Vulnerable code path** \u2014 `lib/Froxlor/Api/Commands/Mysqls.php:69-99` (`add()`):\n\n```php\npublic function add()\n{\n if (($this-\u003egetUserDetail(\u0027mysqls_used\u0027) \u003c $this-\u003egetUserDetail(\u0027mysqls\u0027) || ...) {\n ...\n $customer = $this-\u003egetCustomerData(\u0027mysqls\u0027); // line 80\n $dbserver = $this-\u003egetParam(\u0027mysql_server\u0027, true, // line 81 \u2014 user-controlled\n $this-\u003egetDefaultMySqlServer($customer));\n ...\n $dbserver = Validate::validate($dbserver, ..., \u0027/^[0-9]+$/\u0027, ...); // line 92 \u2014 numeric only\n Database::needRoot(true, $dbserver, false); // line 93 \u2014 root ctx for ANY index\n Database::needSqlData();\n $sql_root = Database::getSqlData();\n Database::needRoot(false);\n if (!is_array($sql_root)) { // line 97 \u2014 only existence check\n throw new Exception(\"Database server with index #\" . $dbserver . \" is unknown\", 404);\n }\n ...\n $username = $dbm-\u003ecreateDatabase($newdb_params[\u0027loginname\u0027], $password,\n $dbserver, ...); // line 116/118 \u2014 DB+user created\n ...\n Database::pexecute($stmt, [\"customerid\"=\u003e$customer[\u0027customerid\u0027], ..., \"dbserver\"=\u003e$dbserver], ...);\n }\n}\n```\n\nThe `$customer[\u0027allowed_mysqlserver\u0027]` field IS read on line 80 but is only consumed by `getDefaultMySqlServer()` (lines 566-573) to compute a default when the request omits `mysql_server`. As soon as the client supplies the parameter, the default path is skipped and no further authorization gate runs.\n\n**Cross-file evidence the check is intended elsewhere:**\n\n- `lib/Froxlor/Api/Commands/MysqlServer.php:319-323` \u2014 `get()` rejects with HTTP 405 when `$dbserver` is not in `allowed_mysqlserver`:\n ```php\n if ($this-\u003eisAdmin() == false) {\n $allowed_mysqls = json_decode($this-\u003egetUserDetail(\u0027allowed_mysqlserver\u0027), true);\n if ($allowed_mysqls === false || empty($allowed_mysqls) || !in_array($dbserver, $allowed_mysqls)) {\n throw new Exception(\"You cannot access this resource\", 405);\n }\n ...\n }\n ```\n- `lib/Froxlor/Api/Commands/MysqlServer.php:252-257` \u2014 same allowlist filter on `listing()`.\n- `customer_mysql.php:222` \u2014 UI rejects with `Response::dynamicError(\u0027No permission\u0027)` when `empty($allowed_mysqlservers)`.\n\n**Chain of execution (attacker \u2192 impact):**\n\n1. Customer authenticates to `api.php` with apikey/secret. The only API gate is `cust_api_allowed`; `allowed_mysqlserver` is not consulted at auth time.\n2. Customer sends JSON `{\"command\":\"Mysqls.add\",\"params\":{\"mysql_password\":\"\u003cvalid\u003e\",\"mysql_server\":\u003cdisallowed_idx\u003e}}`.\n3. `Mysqls.php:71` quota check passes (`mysqls_used \u003c mysqls`).\n4. `Mysqls.php:80` `getCustomerData(\u0027mysqls\u0027)` returns the caller\u0027s own row.\n5. `Mysqls.php:81` `$dbserver` is set from the request (default-fallback path skipped).\n6. `Mysqls.php:92` numeric regex passes.\n7. `Mysqls.php:93-99` `Database::needRoot(true, $dbserver, false)` switches to the root context of the attacker-chosen server; existence check passes.\n8. `Mysqls.php:116/118` `DbManager::createDatabase(...)` runs against the disallowed server using stored root credentials, creating the DB and granting the supplied password to `\u003cloginname\u003e_\u003csqlN\u003e` (DbManager.php:177-218).\n9. `Mysqls.php:127-141` inserts a row into `TABLE_PANEL_DATABASES` with the attacker\u0027s `customerid` and the disallowed `dbserver`, allowing later management via `Mysqls.get/update/delete` (which only filter by `customerid` for non-admins, e.g. `Mysqls.php:282`).\n\n## PoC\n\nPreconditions on the target instance:\n- \u22652 MySQL servers configured in `lib/userdata.inc.php` (e.g. index 0 default, index 1 internal/premium).\n- Customer X with `allowed_mysqlserver=[0]`, `cust_api_allowed=1`, `mysqls \u003e 0`, and an issued API key (`apikey:secret`).\n\nRequest \u2014 customer creates a database on server `1`, which is *not* in their allowlist:\n\n```bash\ncurl -k -u \u0027CUST_APIKEY:CUST_SECRET\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -X POST \\\n -d \u0027{\"command\":\"Mysqls.add\",\"params\":{\"mysql_password\":\"ValidP@ssw0rd!\",\"mysql_server\":1}}\u0027 \\\n https://froxlor.example.com/api.php\n```\n\nExpected (mirroring `MysqlServer.get()` behaviour): `HTTP 405 \u2014 \"You cannot access this resource\"`.\nActual: `HTTP 200` with the full database record, e.g.:\n\n```json\n{\"data\":{\"id\":42,\"customerid\":\u003ccust_id\u003e,\"databasename\":\"\u003cloginname\u003e_sql1\",\"dbserver\":1,...}}\n```\n\nVerify the credentials work on the forbidden server:\n\n```bash\nmysql -h server1.host -u \u003cloginname\u003e_sql1 -p # password: ValidP@ssw0rd!\nmysql\u003e SHOW DATABASES; # the new DB is present\nmysql\u003e USE \u003cloginname\u003e_sql1; # full access to the newly-created DB\n```\n\nThe customer can subsequently manage the DB via `Mysqls.get`, `Mysqls.update`, and `Mysqls.delete` \u2014 those non-admin code paths filter only by `customerid` (`Mysqls.php:282-289`, `Mysqls.php:380-391`), which matches.\n\n## Impact\n\n- Bypass of the per-customer MySQL-server allowlist (`allowed_mysqlserver`) enforced by the admin/reseller. The authorization model is fully defeated for the `add` operation.\n- The customer obtains valid MySQL credentials on a server the operator explicitly excluded for them \u2014 possibly an internal/separate cluster, billing tier, premium-only host, or a server provisioned for a different tenant pool.\n- The customer can persist a DB on the forbidden server (resource and policy bypass), then read/write data there, and continue to manage it through `Mysqls.update` / `Mysqls.delete`.\n- Impact is bounded: privileges granted by `DbManager::grantPrivilegesTo` apply only to the new `\u003cloginname\u003e_sqlN` database, so no cross-tenant data exposure on the forbidden server. The damage is policy bypass, resource consumption on the forbidden server, and credential persistence there.\n\n## Recommended Fix\n\nMirror the allowlist check already present in `MysqlServer::get()`. After the numeric validation on `Mysqls.php:92`, before `Database::needRoot(...)`, add for non-admin callers:\n\n```php\n// validate whether the dbserver exists\n$dbserver = Validate::validate($dbserver, html_entity_decode(lng(\u0027mysql.mysql_server\u0027)), \u0027/^[0-9]+$/\u0027, \u0027\u0027, 0, true);\n\n// enforce per-customer allowed_mysqlserver allowlist (parity with MysqlServer::get())\nif (!$this-\u003eisAdmin()) {\n $allowed = json_decode($customer[\u0027allowed_mysqlserver\u0027] ?? \u0027[]\u0027, true);\n if (!is_array($allowed) || empty($allowed)\n || !in_array((int)$dbserver, array_map(\u0027intval\u0027, $allowed), true)) {\n throw new Exception(\u0027You cannot access this resource\u0027, 405);\n }\n}\n\nDatabase::needRoot(true, $dbserver, false);\n```\n\nAudit `Mysqls::update()`, `Mysqls::delete()`, and `Mysqls::get()` for the same gap: those endpoints accept `mysql_server` and ultimately call `Database::needRoot(true, $result[\u0027dbserver\u0027], false)` on the row\u0027s stored value. Once the row exists with a forbidden `dbserver`, those paths execute against the forbidden server unchallenged. Consider rejecting any non-admin operation whose target row\u0027s `dbserver` is outside `allowed_mysqlserver`, even if the row already exists, to defend in depth.",
"id": "GHSA-q4rm-m6xh-5pv7",
"modified": "2026-07-02T19:23:49Z",
"published": "2026-07-02T19:23:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-q4rm-m6xh-5pv7"
},
{
"type": "PACKAGE",
"url": "https://github.com/froxlor/froxlor"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.