Froxlor 0.9.32 - Vulnerability in password reset

A few days ago I had to set up a new web server for some friends who wanted to get web space for their domains. They had no experience with the administration of Linux servers, so I decided to install some eye candy control panel. From past experience and because of the lightness I chose Froxlor. However, I have not played with it for a long time. During the installation, I took a closer look at all those nice features which Froxlor gave me. Then I took a look at the password reset and what is needed to reset a customer’s password. You need the customer’s username and his email address. No security question or something else but ok if someone has got access to the customer’s email address, he has already lost. But then I noticed something which you can find at line 366 in Froxlor’s index.php.

// Set together our activation link
$host = $_SERVER['HTTP_HOST'];

During the creation of the password reset link Froxlor uses the host which was specified in the HTTP “Host” header. This allowed me to replace the original domain with any domain under my control. To “exploit” this a simple curl statement is enough:

curl -d 'loginname=testuser&loginemail=test@user.tld&action=forgotpwd&send=send' \
--header 'Host: any-domain-under-my-control.tld' http://froxlor-host.tld/index.php

If the user has clicked on the link in the email you don’t have to worry about any further phishing attack since you only need the reset string in the URL which can be found in your access log, for example.

So, all you need to take over someone’s Froxlor account is:

Without the email address which is used with Froxlor, you have bad chances to exploit this vulnerability but with the valid email address and a bit of social engineering you have a good chance of taking over someone’s website.

A big thank you to d00p from Froxlor team. He has responded to my email immediately and we worked out a solution together.