release Security Release 0.10.30 - Possible SQL injection with new 'custom database name' feature

[d00p]

Dear Froxlor Community,

with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here.

Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled.

Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually.

Changes in 0.10.30:

• fix validation of database_name if custom-database-name feature is enabled
• fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update()
• adjust debian 11 config templates, fixes #982
• don't remove 0-value parameter values from bulk-actions
• add possibility to assign new/edited php-config to all customer accounts; fixes #980
• add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985
• fix api documentation for Domains.add() and Domains.update(); fixes #987
• soften/correct permissions on pdns configs; fixes #991
• check whether the domain to clean from pdns actually still exists there; fixes #992
• avoid possible DivisionByZeroError in APCu info page, fixes #995

 

Download: 0.10.30 | website

Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat

Thank you,
d00p