Free admin panel: Code smuggling through cross-site scripting in Froxlor
Thanks to sloppy input filtering, attackers can execute JavaScript in the server admin's browser without logging in. A patch is available.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
There is a security gap in the free server admin panel Froxlor that could allow attackers to take over the server under certain circumstances. In the display function for failed login attempts, of all places, JavaScript experts can place their own scripts, which are then executed by the server admin's browser. As one of the developers was able to prove, fake administrator accounts can also be created in this way.
In accordance with these possible effects, the Froxlor team rates the vulnerability as critical, assigns it a CVSS score of 9.7 and has given it the CVE ID CVE-2024-34070. It affects all Froxlor versions before 2.1.9; the problem has been resolved in this version.
The Debian and Ubuntu packages provided by the Froxlor team in a separate repository are also already up to date. Administrators using Froxlor should patch quickly to avoid unnecessary risk.
Videos by heise
XSS despite anti-XSS
In a security note on GitHub, the developers explain the error in detail and how it came about: Froxlor uses an external library for filtering user input with"anti-xss", but this could be outwitted using a specially constructed JavaScript block.
Froxlor is used for convenient web-based administration of Linux servers and has functions that small web hosts or agencies can use to rent out hosting accounts. The software is a fork of the now discontinued SysCP project and sees itself as a free alternative to commercial solutions such as Plesk. Froxlor had its last serious security vulnerability almost 10 years ago: Attackers were able to read database passwords remotely.
(cku)
