Ddos 
Security researchers have sounded the alarm on two critical vulnerabilities within Froxlor, the popular open-source server management panel. The flaws, which include a maximum-severity CVSS 10 rating, could allow authenticated attackers to bypass security layers, execute arbitrary code, and establish persistent backdoors that trigger on every single request made to the system.
The most severe of the two issues involves the Froxlor API’s handling of user language settings. While the standard Web UI includes robust checks to ensure language files are legitimate, the API endpoints for Customers.update and Admins.update were found to have a significant validation gap.
According to the technical report, the API “only runs Validate::validate() with the default regex… which permits path traversal sequences”. By exploiting this, an authenticated customer can change their default language to point to a malicious file located anywhere on the server—for example, ../../../../../var/customers/webs/customer1/evil.
The danger is realized the moment the user makes a subsequent request. The report warns that “Language::loadLanguage() constructs a file path using this value and executes it via require, achieving arbitrary PHP code execution as the web server user”.
The second vulnerability strikes at the core of Froxlor’s configuration management. Researchers identified a failure in how the system escapes single quotes when writing data to the userdata.inc.php file via PhpHelper::parseArrayToString().
By injecting malicious PHP code into fields like privileged_user, mysql_ca, or even the description field, an attacker can overwrite the configuration file with their own logic. The impact of this is particularly insidious: “The injected code executes on every request, providing persistent access” to the server. This effectively turns the legitimate configuration file into a permanent, “invisible” web shell.
To secure affected Froxlor instances, administrators and developers are urged to implement the following technical fixes:
- Standardize Validation: Ensure the API uses the same strict Language::getLanguages() check as the Web UI to block path traversal.
- Escape Correctlly: Update lib/Froxlor/PhpHelper.php to properly escape both backslashes and single quotes before interpolating values into PHP strings.
- Adopt “Nowdoc” Syntax: The report suggests using nowdoc syntax for all string values in configuration files to provide “complete injection safety”.
- Harden Database Inputs: Add explicit input validation to the mysql_ca and privileged_user fields within MysqlServer::add() as a defense-in-depth measure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
