Jump to content
Froxlor Forum

Security Release 0.10.34 - Possible authenticated SQL injection via API

d00p

By d00p
in Announcements

 Share

Recommended Posts

d00p Grand Master

d00p

Posted
Posted (edited)

Dear Froxlor Community,

with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities.
 

Quote

This vulnerability allows remote attackers to execute arbitrary SQL queries on affected installations of froxlor. Authentication as a admin/customer with API access is required to exploit this vulnerability.

The specific flaw exists within the `getOrderBy` and `getSearchWhere` methods located in the `ApiCommand.php` file. The issue results from the improper validation of the `sql_orderby` and/or `sql_search` parameters. An attacker can leverage this vulnerability to elevate privileges and execute arbitrary commands on the target server.

(Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again)

Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API.

 

Changes in 0.10.34:

  • [security] fix validation of API parameters sql_search & sql_orderby
  • [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled.
  • [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add)
  • [install] fix installation for mariadb-10.5
  • add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar
     

Changes in 0.10.34.1:

  • [cli] fix invalid return statements in helper scripts
  • [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting
  • [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache

 

Download: 0.10.34.1 | website


Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat

Thank you,
d00p

Edited by d00p
Updated for 0.10.34.1 bugfix release
Link to comment
Share on other sites
  • d00p pinned this topic
  • d00p unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing


×
×
  • Create New...