Froxlor 2.0.6 Remote Command Execution
Froxlor versions 2.0.6 and below suffer from a bug that allows
authenticated users to change the application logs path to any directory
on the OS level which the user www-data can write without restrictions
from the backend which leads to writing a malicious Twig template that the application will render. That leads to remote command execution under the
user www-data.
https://packetstormsecurity.com/files/171108/froxlor_log_path_rce.rb.txt
Thu, 23 Feb 2023 16:34:45 GMT
________________________________
--- The information is for inforamtional purposes only.
* Origin: Read us with
http://winpoint.org JID:
rs@captflint.com (2:467/4.444)