Michael Kaufmann

**Name of the Vulnerable Software and Affected Versions** Froxlor versions 2.3.6 and earlier **Description** DNS record content is concatenated directly into bind9 zone files in the `DnsEntry.php` file, which allows for zone file injection. The issue stems from incomplete validation of LOC, RP, SSHFP, and TLSA records. Specifically, the LOC record regular expression uses `s+`, which matches newlines and allows embedded newlines to pass validation. Additionally, TLSA records with `matchingType=0` lack an upper bound on hex data length, potentially enabling DNS amplification or data exfiltration. All validators return raw input without zone-file escaping, allowing authenticated users with DNS management permissions to inject arbitrary records into zone files, which could lead to domain hijacking or phishing. **Recommendations** For versions 2.3.6 and earlier, update to version 2.3.7. Replace `s+` in the LOC regex with `[ t]+` to exclude newlines. Implement a maximum length for TLSA `matchingType=0` data. Escape or reject newlines in all DNS record content before writing to zone files.