frxlor 2.3.6 DNS记录注入绕过(CVE-2026-30932)分析

漏洞概述 CVE-2026-30932 是 frxlor 中的一个不完整的修复漏洞。该漏洞涉及 DNS 记录内容的验证问题，具体表现为： LOC 记录正则表达式：使用 匹配换行符（允许嵌入换行符），TLSA 匹配类型 没有上限绑定在十六进制数据长度上，所有验证器返回未转义的输入而不进行区域文件转义。 影响：攻击者可以通过注入任意 DNS 记录到 bind9 区域文件中，实现域名劫持、钓鱼或 DNS 放大攻击。 影响范围 受影响版本：所有在修复前的 frxlor 版本（= 2.3.7。 修复方案 替换正则表达式：将 LOC 记录中的 替换为 以排除换行符。 添加最大长度限制：为 TLSA 匹配类型 数据添加最大长度限制。 转义换行符：在所有 DNS 记录内容写入区域文件之前，转义换行符。 POC 代码 ```python #!/usr/bin/env python3 """ CVE-2026-30932 - Incomplete DNS Record Content Validation in frxlor/frxlor Affected component: Lib/Froxlor/Api/Commands/DomainZones.php Vulnerability type: Input Validation / DNS Zone File Injection Patch: https://github.com/frxlor/frxlor/commit/e3482920c32618e37f6a1eab4260b277a88b The patch adds validation for LOC, RP, SSHFP, and TLSA DNS record types. However, the sanitization is incomplete: 1. PRE-FIX: No validation at all - arbitrary content stored as DNS records. 2. POST-FIX BYPASS: LOC regex \s+ matches newlines; TLSA matchingType=s allows unbounded hex data; validators return raw input without escaping. """ import re import sys import string def vulnerable_add_record(record_type, content): """Pre-fix: no validation for LOC, RP, SSHFP, TLSA.""" errors = [] if record_type in ('LOC', 'RP', 'SSHFP', 'TLSA'): pass return {"errors": errors, "content": content} def validate_dns_loc(inp): """Replicates Validate::validateDnsLoc from the patch.""" pattern = re.compile( r'^' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'([NSEW])\s+' r'(\d{1,3})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1,2})\s+' r'(\d{1

目标达成感谢每一位支持者 — 我们达成了 100% 目标！

frxlor 2.3.6 DNS记录注入绕过(CVE-2026-30932)分析

同源更多文章

目标达成 感谢每一位支持者 — 我们达成了 100% 目标！

frxlor 2.3.6 DNS记录注入绕过(CVE-2026-30932)分析

同源更多文章

目标达成感谢每一位支持者 — 我们达成了 100% 目标！