Jump to content
Froxlor Forum

Security Release 0.10.30 - Possible SQL injection with new 'custom database name' feature


d00p
 Share

Recommended Posts

Dear Froxlor Community,

with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here.

Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled.

Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually.

Changes in 0.10.30:

  • fix validation of database_name if custom-database-name feature is enabled
  • fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update()
  • adjust debian 11 config templates, fixes #982
  • don't remove 0-value parameter values from bulk-actions
  • add possibility to assign new/edited php-config to all customer accounts; fixes #980
  • add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985
  • fix api documentation for Domains.add() and Domains.update(); fixes #987
  • soften/correct permissions on pdns configs; fixes #991
  • check whether the domain to clean from pdns actually still exists there; fixes #992
  • avoid possible DivisionByZeroError in APCu info page, fixes #995

 

Download: 0.10.30 | website


Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat

Thank you,
d00p

Link to comment
Share on other sites

  • d00p unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...