Froxlor Path Traversal Vulnerability in def_language Parameter Leads to Arbitrary PHP Code Execution

A vulnerability in the Froxlor API endpoints 'Customers.update' and 'Admins.update' prior to version 2.3.6 allows for arbitrary PHP code execution. The issue arises because the 'def_language' parameter is not properly validated against available language files. An authenticated customer can exploit this by sending a path traversal payload, which is then stored in the database. When the 'def_language' is loaded in subsequent requests, the application executes the injected PHP code as the web server user.

Impact

Exploitation of this vulnerability allows authenticated customers to execute arbitrary PHP code on the server, with the potential for full server compromise. This could involve accessing sensitive data such as database credentials and customer information, creating a persistent backdoor, or exfiltrating data from hosted databases and email accounts.

Reproduction

To reproduce this vulnerability, an authenticated user can upload a malicious language file containing PHP code execution payloads to their web directory via FTP. After uploading the file, the user can send a request to the Froxlor API 'Customers.update' or 'Admins.update' endpoint, including a path traversal payload in the 'def_language' parameter. Once the payload is stored in the database, it can be executed by calling the 'Customers.get' API command, which triggers the language loading process and executes the injected PHP code.

Remediation

Users can update to Froxlor version 2.3.6 or later, where this vulnerability has been patched. Instructions for downloading the latest version are available on the Froxlor GitHub Releases page.