Froxlor Domain Quota Bypass Vulnerability in Reseller API

A vulnerability in Froxlor prior to version 2.3.6 allows resellers to bypass domain quotas by exploiting the 'adminid' parameter in the 'Domains.add()' method. When a reseller lacks the 'customers_see_all' permission, the 'adminid' parameter is accepted from user input and used without validation. This oversight enables resellers to attribute newly created domains to any admin, circumventing their own domain limits and potentially exhausting another admin's quota. The issue has been addressed in version 2.3.6.

Impact

Exploitation of this vulnerability allows for unauthorized domain creation beyond allocated quotas, associated with the wrong admin, disrupting the ownership model and potentially exhausting the target admin's resources.

Reproduction

To reproduce this vulnerability, a reseller without 'customers_see_all' permission can use the API to create a domain, specifying an admin ID that is not their own. The request will be processed without validation, allowing the domain to be attributed to the selected admin. This can be verified by checking the 'domains_used' counter for both the reseller and the targeted admin, which will show that the quota has been improperly manipulated.

Remediation

Users can update to Froxlor version 2.3.6, where this vulnerability has been fixed.