Froxlor Email Spoofing Vulnerability via Domain Ownership Validation Bypass

A vulnerability in Froxlor's email sender alias management allows cross-customer email spoofing. Prior to version 2.3.6, the domain ownership validation in the 'EmailSender::add()' function incorrectly used the local part of the email address instead of the domain when checking ownership. This flaw enabled authenticated customers to add sender aliases for email addresses on domains owned by other customers. As a result, Postfix's 'sender_login_maps' authorized the spoofing of those addresses. Version 2.3.6 addresses this issue.

Impact

Exploitation of this vulnerability allows any authenticated customer to impersonate users on other customers' domains by sending emails that appear to come from those addresses. This bypasses Postfix's safeguards against such actions, potentially leading to phishing attempts and damage to the reputation of the spoofed domain.

Reproduction

To reproduce this vulnerability, an authenticated customer can add a sender alias for an email address on a domain owned by another customer. This can be done through the Froxlor API or the web interface. Once the alias is added, the customer can send emails using that address via SMTP, effectively spoofing the other customer.

Remediation

Users can update to Froxlor version 2.3.6, which includes the necessary fix. Instructions for downloading this version are available on the Froxlor GitHub Releases page.