GHSA-34qg-65m4-f23m: 
PHP vulnerability analysis and mitigation

A high severity vulnerability was discovered in Froxlor versions 2.1.9 and earlier (up to 2.2.0-rc3) where the XML templates in lib/configfiles/ set incorrect file permissions (chmod 644) for /etc/pure-ftpd/db/mysql.conf, exposing sensitive database credentials. This vulnerability affects Froxlor instances configured to use pure-ftpd, particularly on Debian 12 systems where parent directories are world-readable by default (GitHub Advisory).

The vulnerability (GHSA-34qg-65m4-f23m) stems from improper file permissions configuration where the mysql.conf file is set to chmod 644, making it readable by all users on the system. The vulnerability has a CVSS v3.1 score of 7.3 (High) with the following metrics: Attack Vector: Local, Attack Complexity: Low, Privileges Required: Low, User Interaction: None, Scope: Unchanged, Confidentiality: High, Integrity: High, Availability: Low (GitHub Advisory).

The vulnerability allows any unprivileged user with command/code execution access to obtain credentials granting access to the Froxlor MySQL database. This access can be exploited even by virtual users without SSH access who can upload PHP scripts or CGIs. More critically, the database access can be leveraged to obtain Froxlor admin privileges and subsequently root privileges through manipulation of admin password hashes, TOTP seed values, and cron daemon settings (GitHub Advisory).

The vulnerability has been patched in Froxlor version 2.2.0. As a workaround, it is recommended to use passwordless unix socket authentication. Current versions of MySQL, MariaDB, and Percona support removing database passwords for connections through unix sockets, even when the database user differs from the system account running the database client (GitHub Advisory).