PT-2026-44907 · Froxlor · Froxlor
Larlarua
·
Published
2026-05-29
·
Updated
2026-06-08
·
CVE-2026-41236
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Froxlor version 2.3.6
Description
A symlink-following flaw exists in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to
~/.ssh/authorized keys within a customer-controlled home directory without verifying if the target path is a symbolic link. An attacker with a shell-enabled customer account can replace ~/.ssh/authorized keys with a symlink pointing to /root/.ssh/authorized keys. When the privileged cron task executes the SshKeys::generateFiles() function and subsequently appends the key, the attacker-supplied key is added to the root user's authorized key file, granting the attacker root SSH access. This process involves the SshKeys.add API call and the makeCorrectFile() function, which fails to resolve or reject symlinks.Recommendations
Update to version 2.3.7.
Exploit
Fix
LPE
Link Following
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Froxlor