Jump to content
View in the app

A better way to browse. Learn more.
Froxlor Forum

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Security Release 0.10.34 - Possible authenticated SQL injection via API

  •
d00p
in Announcements

Featured Replies

Dear Froxlor Community,

with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities.
 

Quote

This vulnerability allows remote attackers to execute arbitrary SQL queries on affected installations of froxlor. Authentication as a admin/customer with API access is required to exploit this vulnerability.

The specific flaw exists within the `getOrderBy` and `getSearchWhere` methods located in the `ApiCommand.php` file. The issue results from the improper validation of the `sql_orderby` and/or `sql_search` parameters. An attacker can leverage this vulnerability to elevate privileges and execute arbitrary commands on the target server.

(Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again)

Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API.

 

Changes in 0.10.34:

  • [security] fix validation of API parameters sql_search & sql_orderby
  • [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled.
  • [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add)
  • [install] fix installation for mariadb-10.5
  • add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar
     

Changes in 0.10.34.1:

  • [cli] fix invalid return statements in helper scripts
  • [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting
  • [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache

 

Download: 0.10.34.1 | website


Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat

Thank you,
d00p

Edited by d00p
Updated for 0.10.34.1 bugfix release

  • d00p pinned this topic

Thanks for Update !!!!!

  • d00p unpinned this topic

Create an account or sign in to comment
Go to topic listing

Account

Navigation

Search

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.