Froxlor Symlink Validation Bypass in Data Export Command Allows Arbitrary Directory Ownership Takeover

A vulnerability in Froxlor's DataDump.add() function prior to version 2.3.6 allows for an incomplete symlink validation, leading to unauthorized ownership of directories. The issue arises because the export destination path is constructed from user input without proper validation, enabling customers to manipulate the path and take ownership of arbitrary directories when the ExportCron runs as root. This vulnerability affects Froxlor versions through 2.1.0.

Impact

Exploitation of this vulnerability allows for horizontal privilege escalation by enabling a customer to take ownership of another customer's web files, databases, and email data. Additionally, it could lead to vertical privilege escalation by targeting system directories, such as /etc, to gain access to sensitive files like /etc/passwd and /etc/shadow, potentially allowing the creation of a root account or modification of the root password. The vulnerability also poses a risk of disrupting services by changing ownership of critical system directories.

Reproduction

To reproduce this vulnerability, first create a symlink in the customer's document root that points to a directory of a victim customer. Then, schedule a data export via the Froxlor API, specifying a path that points to the symlink. Once the ExportCron runs, it will follow the symlink and change the ownership of the victim's directory to the attacker's user ID and group ID, effectively allowing the attacker to take control of the files. This exploitation can be automated with a single API call, taking advantage of the delayed impact until the next cron run.

Remediation

Users can update to Froxlor version 2.3.6, which includes the necessary fix. Instructions for downloading this version are available on the Froxlor GitHub Releases page.