Froxlor Email Validation Bypass and Root-Level Remote Code Execution Vulnerability

A critical vulnerability in Froxlor versions prior to 2.3.4 allows for email validation bypass, leading to arbitrary string execution as root via a scheduled cron job. The issue arises from a typo in the input validation code, which disables proper email format checks for fields designated as email types. This flaw enables authenticated administrators to inject shell metacharacters into the 'panel.adminmail' setting. The injected value is then executed as a shell command with root privileges, exploiting the whitelisted pipe character to facilitate the command injection.

Impact

Exploitation of this vulnerability grants authenticated admin users full root access on the server, allowing them to execute arbitrary commands with root privileges. This access could be used to compromise all customer data, databases, and SSL keys, and to modify any files on the server.

Reproduction

The vulnerability can be reproduced by logging into the Froxlor admin panel and navigating to the settings page. Once there, inject a payload into the 'panel.adminmail' field that includes shell metacharacters, such as a pipe or semicolon. After saving the settings, the injected command will be executed as root by a cron job.

Remediation

Users can update to Froxlor version 2.3.4, which addresses the vulnerability by correcting the input validation logic and escaping shell arguments in the acme.sh installation process.