Froxlor 0.9.32 - Vulnerability in password reset

2014-06-29

A few days ago I had to set up a new web server for some friends who needed some web space. They had no experience with the administration of Linux servers, so I decided to install some eye candy control panel. From past experience and because of its lightness I chose Froxlor. However, I have not touched it for a long time. During the installation, I took a closer look at all those nice features which Froxlor gave me.
I took a look at the password reset and what is needed to reset a customer’s password. You only need the customer’s username and email address.
I noticed something which you can find at line 366 in Froxlor’s index.php.

// Set together our activation link
$host = $_SERVER['HTTP_HOST'];

During the creation of the password reset link Froxlor uses the host which was specified in the HTTP “Host” header. This allowed me to replace the original domain with any domain under my control. To “exploit” this a simple curl statement is enough:

curl \
    -d 'loginname=testuser&loginemail=test@user.tld&action=forgotpwd&send=send' \
    --header 'Host: any-domain-under-my-control.tld' \
    http://froxlor-host.tld/index.php

Once the user has clicked on the link in the email, you don’t even have to serve a page because you only need the reset string in the URL which can be found in the access log, for example.

So, all you need to take over someone’s Froxlor account is:

a Froxlor instance that is not running as a virtual host,
user email address,
username,
and a bit of social engineering (for example an e-mail to your victim that all passwords had been reset due to a hacker attack)

Without knowing the user email address, you have bad chances to exploit this vulnerability but with the valid email address and a bit of social engineering you have a good chance of taking over someone’s website.

A big thanks to d00p from Froxlor team. He immediately responded to my email and we worked out a solution together.