Froxlor: Authenticated customers can read other customers' allowed sender aliases
📋 Description
Summary
An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enable_allow_sender is enabled. customer_email.php loads allowed_sender by global auto-increment senderid alone, so a customer can enumerate foreign sender alias IDs and make Froxlor disclose those values in the confirmation dialog for the attacker's own mailbox.
Details
The vulnerable read lives in customer_email.php:
$senderid = Request::any('senderid', 0);
...
$sel_stmt = Database::prepare("SELECT `allowed_sender` FROM `" . TABLE_MAIL_SENDER_ALIAS . "` WHERE `id` = :sid");
$sender_data = Database::pexecute_first($sel_stmt, ['sid' => $senderid]);
HTML::askYesNo('email_reallydelete_sender', $filename, [
'id' => $id,
'senderid' => $senderid,
'page' => $page,
'domainid' => $email_domainid,
'action' => $action
], $idna_convert->decode($result['email_full']) . ' -> ' . $sender_data['allowed_sender']);
The query does not scope senderid to the current customer or to the mailbox being edited. mail_sender_aliases.id is a global AUTO_INCREMENT primary key:
CREATE TABLE `mail_sender_aliases` (
`id` int(11) NOT NULL auto_increment,
`email` varchar(255) NOT NULL,
`allowed_sender` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
)
That makes sender alias IDs enumerable. A customer who owns any mailbox with sender-alias management enabled can request the delete-confirmation page for their own mailbox while supplying foreign senderid values. Froxlor then renders the foreign allowed_sender string in the confirmation prompt.
Proof of Concept
Verified against Froxlor 2.3.6 on a fresh test install with mail.enable_allow_sender=1.
- Create two customers,
victimandattacker. - Give each customer one mailbox.
- Add a sender alias for the victim mailbox:
[email protected] -> [email protected]
- Log in as the attacker and request the delete-confirmation page for the attacker's own mailbox while supplying the victim's sender alias ID:
/customer_email.php?page=senders&domainid=4&action=delete&id=2&senderid=1
Observed in the live test instance:
Do you really want to delete the allowed sender [email protected] -> [email protected]?
The attacker-controlled mailbox identifier stayed [email protected], but the disclosed sender alias text came from the victim-owned row identified by senderid=1.
Impact
An authenticated customer can enumerate global sender alias IDs and read other customers' allowed sender values. This is a cross-tenant information disclosure. It does not let the attacker delete the foreign alias because the delete action revalidates ownership.
Recommended Fix
Scope the sender alias lookup to the current customer and mailbox before rendering the confirmation page. The confirmation flow should fetch the sender alias through the same ownership checks used by EmailSender::delete().
Found by aisafe.io
🎯 Affected products1
- composer/froxlor/froxlor:<= 2.3.6