CVE-2023-0315
published 2023-01-16CVE-2023-0315: Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
97.65%
99.9th percentile
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| froxlor | froxlor | < 2.0.8 | 2.0.8 |
| froxlor | froxlor | >= 0 < 2.0.8 | 2.0.8 |
| froxlor | froxlor_froxlor | >= unspecified < 2.0.8 | 2.0.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /admin_settings.php?page=overview&part=logging that set the logger_logfile parameter to a path ending in .twig — this is the log-path manipulation step of the exploit. ↗
- →Detect POST requests to /admin_index.php with a body containing the Twig SSTI filter-exec pattern: {{[' ... ']|filter('exec')}} — this is the template injection payload delivery step. ↗
- →Detect POST requests to /admin_index.php with page=change_theme and a 'theme' parameter containing Twig expression syntax ({{ and }}) — indicates SSTI payload injection via the theme-change endpoint. ↗
- →Monitor for mkfifo and netcat (nc) execution under the www-data process tree — these are spawned by the reverse shell one-liner written into the poisoned Twig template. ↗
- ·The exploit requires valid admin credentials — it is an authenticated RCE. Detection rules should focus on the post-login log-path change and template injection steps rather than the login itself. ↗
- ·The exploit targets Froxlor v2.0.7 and below; the vulnerability is patched in v2.0.8. Ensure version detection is part of asset inventory checks. ↗
- ·The reverse shell executes under the www-data user; privilege escalation is not part of this CVE's scope. Post-exploitation activity will appear as www-data spawning shells. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Froxlor vulnerable to Command Injection
ghsa·2023-01-16
CVE-2023-0315 [HIGH] CWE-77 Froxlor vulnerable to Command Injection
Froxlor vulnerable to Command Injection
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
OSV
Froxlor vulnerable to Command Injection
osv·2023-01-16
CVE-2023-0315 [HIGH] Froxlor vulnerable to Command Injection
Froxlor vulnerable to Command Injection
Command Injection in GitHub repository froxlor/froxlor prior to 2.0.8.
No detection rules found.
Exploit-DB
Froxlor 2.0.3 Stable - Remote Code Execution (RCE)
exploitdb·2023-04-05·CVSS 8.8
CVE-2023-0315 [HIGH] Froxlor 2.0.3 Stable - Remote Code Execution (RCE)
Froxlor 2.0.3 Stable - Remote Code Execution (RCE)
---
#!/usr/bin/python3
# Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE)
# Date: 2023-01-08
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2023-0315
# Vendor Homepage: https://froxlor.org/
# Version: v2.0.3
# Tested on: Ubuntu 20.04 / PHP 8.2
import telnetlib
import requests
import socket
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
from threading import Thread
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./froxlor-rce.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5
Metasploit
Froxlor Log Path RCE
metasploit
Froxlor Log Path RCE
Froxlor Log Path RCE
Froxlor v2.0.7 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render. That will lead to achieving a remote command execution under the user www-data.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171108/Froxlor-2.0.6-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171729/Froxlor-2.0.3-Stable-Remote-Code-Execution.htmlhttps://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065ahttps://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943http://packetstormsecurity.com/files/171108/Froxlor-2.0.6-Remote-Command-Execution.htmlhttp://packetstormsecurity.com/files/171729/Froxlor-2.0.3-Stable-Remote-Code-Execution.htmlhttps://github.com/froxlor/froxlor/commit/090cfc26f2722ac3036cc7fd1861955bc36f065ahttps://huntr.dev/bounties/ff4e177b-ba48-4913-bbfa-ab8ce0db5943
2023-01-16
Published