CRLF injection in Froxlor - #VU135783
Published: June 29, 2026
Froxlor
Detailed vulnerability description
The vulnerability allows a remote user to inject arbitrary web server configuration directives and disclose sensitive information.
The vulnerability exists due to improper neutralization of crlf sequences in subdomain redirect URL handling in lib/Froxlor/Api/Commands/SubDomains.php when processing customer-supplied redirect URLs during subdomain creation or update. A remote user can supply a redirect URL containing literal newline characters to inject arbitrary web server configuration directives and disclose sensitive information.
The injected content is written into nginx or Apache virtual host configuration files during the cron rebuild cycle, and a malformed payload can cause a denial of service for all hosted customers while a crafted payload can affect other hosted domains.