Froxlor BIND Zone File Injection Vulnerability via Unsanitized DNS Record Content

A vulnerability in Froxlor prior to version 2.3.6 allows authenticated customers to inject arbitrary DNS records and BIND directives into their domain's zone file. The issue arises because the 'DomainZones::add()' function accepts various DNS record types without proper validation and fails to sanitize newline characters in the 'content' field. As a result, when unsupported DNS types like 'NAPTR' are submitted, the content bypasses validation entirely. Newline characters remain after trimming, are stored in the database, and directly written into BIND zone files, where they can be interpreted as separate resource records or directives.

Impact

Exploitation of this vulnerability allows for the injection of arbitrary DNS records, including A records that can redirect traffic to attacker-controlled IPs. It also enables manipulation of email authentication records, injection of BIND directives that could disrupt DNS services, and potential inclusion of local server files via BIND directives.

Reproduction

To reproduce this vulnerability, an authenticated customer can send an API request to 'DomainZones.add()' with a DNS type not validated by the server, such as 'NAPTR', and include newline characters in the 'content' field. After the record is accepted and stored in the database, the DNS cron can be triggered to write the injected content into the BIND zone file, where it will be processed as legitimate DNS records.

Remediation

Users should update to Froxlor version 2.3.6, which addresses this vulnerability by adding proper validation for DNS record types and sanitizing newline characters in the content field.