Froxlor 2.0.21 - Remote Command Execution
8
High
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Froxlor 2.0.21 - Remote Command Execution
Code name
State
Private
Release date
Aug 11, 2023
Affected product
Froxlor 2.0.21
Affected version(s)
Version 2.0.21
Vulnerability name
Remote Command Execution
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:U/RC:C
CVSS v3.1 base score
8.0
Exploit available
Yes
CVE ID(s)
Description
Froxlor allows an user to execute commands on the server by abusing the built-in image upload and cron jobs functionality.
Vulnerability
Remote Command Execution (RCE) vulnerability has been identified in Froxlor, is possible to upload images profiles without properly validating the type and content, the application also allows creating cron jobs without proper validation of dangerous commands, these two flaws lead to remote code execution.

Exploitation
Will be available soon.
Evidence of exploitation
In the Portal of Froxlor , we need to go to System -> Settings -> Panel Settings and Upload a Logo Image, then with have to add our payload in the image content:

after that, we need get the image name, and go to System -> Cronjob settings and add our payload:

finally, we need to wait for cron job task execute the mv commad that change the image to php extension and this allow to execute command in the server

Our security policy
We have reserved the ID CVE-2023-3895 to refer to this issue from now on. Disclosure policy
System Information
Version: Froxlor 2.0.21
Operating System: Linux
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://github.com/Froxlor/Froxlor
Timeline
Vulnerability discovered
Jul 24, 2023
Vendor Confirmed Vuln.
Jul 25, 2023
Vendor contacted
Jul 24, 2023
Vendor replied
Jul 25, 2023
Public disclosure
Aug 11, 2023