PT-2026-44908 · Froxlor+1 · Froxlor+1
Michael Kaufmann
·
Published
2026-05-29
·
Updated
2026-06-04
·
CVE-2026-41237
CVSS v4.0
8.6
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Froxlor versions 2.3.6 and earlier
Description
DNS record content is concatenated directly into bind9 zone files in the
DnsEntry.php file, which allows for zone file injection. The issue stems from incomplete validation of LOC, RP, SSHFP, and TLSA records. Specifically, the LOC record regular expression uses s+, which matches newlines and allows embedded newlines to pass validation. Additionally, TLSA records with matchingType=0 lack an upper bound on hex data length, potentially enabling DNS amplification or data exfiltration. All validators return raw input without zone-file escaping, allowing authenticated users with DNS management permissions to inject arbitrary records into zone files, which could lead to domain hijacking or phishing.Recommendations
For versions 2.3.6 and earlier, update to version 2.3.7.
Replace
s+ in the LOC regex with [ t]+ to exclude newlines.
Implement a maximum length for TLSA matchingType=0 data.
Escape or reject newlines in all DNS record content before writing to zone files.Exploit
Fix
Special Elements Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Froxlor
Bind 9