Hett-Patell

**Name of the Vulnerable Software and Affected Versions** Froxlor versions prior to 2.3.7 **Description** The 'DomainZones.add' API endpoint fails to sanitize newline characters within TXT record content. An authenticated customer with DNS editing permissions can inject newlines into TXT record values, allowing them to break out of the record line in the generated BIND zone file. This enables the injection of arbitrary DNS records (such as A, MX, and CNAME) and BIND directives, specifically `$INCLUDE` and `$GENERATE`. Technical exploitation can lead to: - Information Disclosure: Using the `$INCLUDE` directive to force BIND to read world-readable files from the server. - DNS Record Injection: Creating unauthorized subdomains or intercepting email by injecting A, MX, or CNAME records. - DNS Service Disruption: Causing BIND to reject the zone file due to malformed content or using `$GENERATE` to create massive record sets for amplification. The issue resides in the `Dns::encloseTXTContent()` function, which only manages surrounding quotes and does not strip newlines, carriage returns, or BIND zone metacharacters. **Recommendations** Update to version 2.3.7. As a temporary workaround, restrict access to the 'DomainZones.add' API endpoint or disable DNS editing for customers until the update is applied.