GHSA-33mp-8p67-xj7c

Summary

A typo in Froxlor's input validation code (== instead of =) completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings — including shell metacharacters — in the panel.adminmail setting. This value is later concatenated into a shell command executed as root by a cron job, where the pipe character | is explicitly whitelisted. The result is full root-level Remote Code Execution.

Why This Is a Security Vulnerability (Not Just "Admin Using Admin Features")

Froxlor is a shared hosting control panel. In production deployments:

1. Admin panel access does not equal root access. Hosting providers assign the Froxlor admin role to staff who manage customer accounts, domains, and services through the web UI. These operators are not given SSH access or root shell on the underlying server. The boundary between "panel admin" and "OS root" is a deliberate security design.

2. Froxlor itself enforces this boundary. The safe_exec() function (FileDir.php:224-264) exists specifically to prevent shell injection — it blocks ;, |, &, >, <, `, $, ~, ?. The email validation function (validateFormFieldEmail) exists specifically to ensure email fields contain valid emails. Both mechanisms are security boundaries that this vulnerability bypasses.

3. The root cause is an unintentional code defect. The == operator on a standalone line is a no-op. No developer writes $x == 'mail'; intentionally. This is a typo that silently breaks an entire class of input validation. It is not an admin feature.

4. Comparable CVEs exist for similar hosting panel escalations:

   • CVE-2022-44877 (CentOS Web Panel: admin→root RCE, CVSS 9.8)
   • CVE-2023-27524 (Apache Superset: admin→RCE)
   • CVE-2021-21315 (Node.js systeminformation: privileged user→RCE)
   • CVE-2024-22024 (Ivanti: authenticated→system command execution)

   In each...