Horizon Alert
Summary of the vulnerability and why it matters
This vulnerability in Froxlor allows an attacker with administrative privileges to inject malicious code. This code runs automatically on every page load, potentially compromising the entire server.
- Code execution as web server user.
- Affected if using Froxlor versions before 2.3.6.
- Requires administrative access to exploit.
Attack Path
How an attacker could exploit the issue
An attacker can exploit this by crafting a malicious `privileged_user` parameter when adding or updating a MySQL server via the API. Since the application writes this unescaped value into a configuration file that's included on every request, arbitrary PHP code can be injected and executed with the web server's privileges.
- Requires admin privileges.
- Targets API endpoint.
- Writes unescaped data to config.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability allows for arbitrary PHP code injection through the API, which executes with web server privileges. Attackers are likely to target this because it enables remote code execution and has a direct impact on server security.
- Exploitation requires admin privileges.
- No public exploit available.
- Version 2.3.6 addresses the issue.
Priority actions
Operational Fix
Recommended remediation, mitigation, and detection steps
Focus on patching Froxlor to version 2.3.6 immediately, as unpatched instances are critically vulnerable to remote code execution. If immediate patching is not feasible, implement strict access controls to the Froxlor API and limit administrative privileges to only essential personnel.
- Patch Froxlor to version 2.3.6.
- Restrict API access to privileged users.
- Monitor for unauthorized configuration changes.
