cbcvebase.
CVE-2021-42325
published 2021-10-12

CVE-2021-42325: Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.81%
95.6th percentile
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.

Affected

2 ranges
VendorProductVersion rangeFixed in
froxlorfroxlor< 0.10.300.10.30
froxlorfroxlor>= 0 < 0.10.300.10.30

Detection & IOCsextracted from sources · hover to see the quote

url/froxlor/customer_mysql.php
path/customer_mysql.php
command`;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);--
  • Monitor POST requests to /customer_mysql.php containing SQL metacharacters (backtick, semicolon, INSERT, --) in the `custom_suffix` parameter, which is the injection point for CVE-2021-42325.
  • Alert on POST body containing URL-encoded SQL injection patterns targeting `custom_suffix`, specifically sequences like `%60%3B` (backtick+semicolon) followed by `insert+into+panel_admins`.
  • Detect unexpected new rows in the `panel_admins` table, especially accounts with `customers_see_all=1`, `domains_see_all=1`, `caneditphpsettings=1`, and `change_serversettings=1` created outside normal admin workflows.
  • Monitor the Froxlor 'Webserver reload command' field (System Settings > Webserver settings) for modifications by non-baseline admin accounts, as post-exploitation RCE is achieved by injecting commands there.
  • Watch for execution of `wget` or `php` commands spawned from the Froxlor cron job process (running as root), particularly writing or executing files like /runme.php.
  • The exploit requires the 'custom DB name' feature to be manually enabled (available from 0.10.28 onward); audit Froxlor configurations where this feature is active as a risk indicator.
  • ·The SQL injection via `custom_suffix` is only exploitable when the custom database name feature is manually enabled by the administrator; default installations are not vulnerable.
  • ·Exploitation requires an authenticated customer account; unauthenticated attackers cannot reach the vulnerable endpoint.
  • ·The RCE stage via 'Webserver reload command' filters the characters `;|&><\`$~?` via the `safe_exec` function; payloads must avoid these characters to succeed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.