d00p Posted April 1, 2022 Share Posted April 1, 2022 (edited) Dear Froxlor Community, with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities. Quote This vulnerability allows remote attackers to execute arbitrary SQL queries on affected installations of froxlor. Authentication as a admin/customer with API access is required to exploit this vulnerability. The specific flaw exists within the `getOrderBy` and `getSearchWhere` methods located in the `ApiCommand.php` file. The issue results from the improper validation of the `sql_orderby` and/or `sql_search` parameters. An attacker can leverage this vulnerability to elevate privileges and execute arbitrary commands on the target server. (Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again) Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API. Changes in 0.10.34: [security] fix validation of API parameters sql_search & sql_orderby [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled. [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add) [install] fix installation for mariadb-10.5 add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar Changes in 0.10.34.1: [cli] fix invalid return statements in helper scripts [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache Download: 0.10.34.1 | website Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat Thank you, d00p Edited April 13, 2022 by d00p Updated for 0.10.34.1 bugfix release Link to comment Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!Register a new account
Already have an account? Sign in here.Sign In Now