Froxlor BIND Zone File Injection Vulnerability via Unsanitized DNS Record Content

A vulnerability in Froxlor's DomainZones.add API endpoint, prior to version 2.3.5, allows for BIND zone file injection. The endpoint, accessible to customers with DNS management enabled, failed to properly validate the content field for several DNS record types, including LOC, RP, SSHFP, and TLSA. This oversight enabled attackers to inject newlines and BIND directives, such as $INCLUDE, into the zone file. When the DNS rebuild cron job executed, the injected content was written to disk, potentially leading to unauthorized file access or disruption of DNS services.

Impact

Exploitation of this vulnerability could result in unauthorized access to world-readable files on the server through the DNS subsystem, disruption of DNS services for affected domains, or manipulation of DNS zone data by injecting arbitrary records.

Reproduction

To reproduce this vulnerability, a customer with DNS management enabled can use the DomainZones.add API command to add a LOC record. The content field should be populated with a valid LOC record format, including injected BIND directives such as $INCLUDE. Alternatively, the vulnerability can be reproduced via the web UI by intercepting the DNS editor form POST and injecting the BIND directives into the content field.

Remediation

Users can update to Froxlor version 2.3.5, which includes the necessary validation for DNS record content. The update is available on the Froxlor GitHub Releases page.