漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Froxlor has a BIND Zone File Injection via Unsanitized DNS Record Content in DomainZones::add()
Vulnerability Description
Froxlor is open source server administration software. Prior to version 2.3.6, `DomainZones::add()` accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the `content` field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., `NAPTR`, `PTR`, `HINFO`), content validation is entirely bypassed. Embedded newline characters in the content survive `trim()` processing, are stored in the database, and are written directly into BIND zone files via `DnsEntry::__toString()`. An authenticated customer can inject arbitrary DNS records and BIND directives (`$INCLUDE`, `$ORIGIN`, `$GENERATE`) into their domain's zone file. Version 2.3.6 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Vulnerability Type
对CRLF序列的转义处理不恰当(CRLF注入)
Vulnerability Title
Froxlor 注入漏洞
Vulnerability Description
Froxlor是Froxlor团队的一套轻量级服务器管理软件。 Froxlor 2.3.6之前版本存在注入漏洞,该漏洞源于DomainZones::add()接受任意DNS记录类型且未清理content字段中的换行符,导致经过身份验证的客户可以注入任意DNS记录和BIND指令。
CVSS Information
N/A
Vulnerability Type
N/A