Search the Community

Dear Froxlor Community, with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here. Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled. Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually. Changes in 0.10.30: fix validation of database_name if custom-database-name feature is enabled fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update() adjust debian 11 config templates, fixes #982 don't remove 0-value parameter values from bulk-actions add possibility to assign new/edited php-config to all customer accounts; fixes #980 add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985 fix api documentation for Domains.add() and Domains.update(); fixes #987 soften/correct permissions on pdns configs; fixes #991 check whether the domain to clean from pdns actually still exists there; fixes #992 avoid possible DivisionByZeroError in APCu info page, fixes #995 Download: 0.10.30 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p

Dear Froxlor Community, this release integrates a few security improvements that have been reported to us regarding the session settings, session id and possible url manipulation. Additionally, thanks to the guys from INWX, support for mysql-tls settings have been integrated in the installation-process and the system. Thanks again for the contribution. Changes in 0.10.29: set php session security related settings (httponly and secure flag) secure commonly used filename-variable against url manipulation generate unpredictable unique session ids fix session for 2fa enabled logins integrate the new czech language file; refs #976 possibility to decide whether target database should be dropped after backup when installing adds mysql tls support, refs #979 Changes in 0.10.29.1: fix fresh installation (database exist check) Download: 0.10.29.1 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p

Hi all, I am new to Froxlor and so far enjoying it but unsure how to use it and have a few questions. I have pointed an A record from my domain provider to the server and am able to access the web panel using the domain but my FTP client (filezilla) can't find it. Does it have a mail server built in or do I have to configure that. Can I use it as a nameserver? What ports does it need to function (so I can setup my firewall) Thanks in advance for all your help.

Dear Froxlor-community, due to a severe security issue in the database logging system, we strongly recommend to update your current froxlor installation to 0.9.33.2. We also recommend to remove any content from the /froxlor/logs/ directory. Download: 0.9.33.2 Note: Gentoo-ebuild and Debian packages are now available.. Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net. Thank you, d00p