Froxlor PHP Code Injection Vulnerability in MySQL Server API

A PHP code injection vulnerability exists in Froxlor versions prior to 2.3.6. The issue arises in the `PhpHelper::parseArrayToString()` method, which writes string values into single-quoted PHP string literals without properly escaping single quotes. When an admin with `change_serversettings` permission adds or updates a MySQL server through the API, the `privileged_user` parameter is transmitted unescaped into `lib/userdata.inc.php`. This file is included in every request via `Database::getDB()`, allowing an attacker to inject and execute arbitrary PHP code as the web server user on subsequent page loads.

Impact

Exploitation allows for arbitrary OS command execution as the web server user, leading to a full server compromise. This includes accessing and exfiltrating customer data, database credentials, and TLS private keys, as well as lateral movement across MySQL databases. The vulnerability also introduces a persistent backdoor, with injected code executing on every request, and can cause a denial-of-service by disrupting the Froxlor panel.

Reproduction

To reproduce this vulnerability, an admin with the `change_serversettings` permission can use the Froxlor API to add or update a MySQL server. During this process, the `privileged_user` parameter can be injected with unescaped PHP code, such as a command to execute. Once the MySQL server is added, the injected code will be executed as the web server user on the next page load, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can update to Froxlor version 2.3.6 or later, where this vulnerability has been patched. The update is available on the Froxlor GitHub releases page.