Home / exploitsPDF  

Froxlor 2.0.6 Remote Command Execution

Posted on 23 February 2023

Froxlor versions 2.0.6 and below suffer from a bug that allows authenticated users to change the application logs path to any directory on the OS level which the user www-data can write without restrictions from the backend which leads to writing a malicious Twig template that the application will render. That leads to remote command execution under the user www-data.

 

TOP