GHSA-mr9h-45p9-fg8h: Froxlor: Authenticated customers can read other customers' allowed sender aliases
Summary
An authenticated customer can read other customers' allowed sender aliases from Froxlor's sender-delete confirmation page when mail.enable_allow_sender is enabled. customer_email.php loads allowed_sender by global auto-increment senderid alone, so a customer can enumerate foreign sender alias IDs and make Froxlor disclose those values in the confirmation dialog for the attacker's own mailbox.
Details
The vulnerable read lives in customer_email.php:
$senderid = Request::any('senderid', 0);
...
$sel_stmt = Database::prepare("SELECT allowed_sender FROM " . TABLE_MAIL_SENDER_ALIAS . " WHERE id = :sid");
$sender_data = Database::pexecute_first($sel_stmt, ['sid' => $senderid]);
HTML::askYesNo('email_reallydelete_sender', $filename, [
'id' => $id,
'senderid' => $senderid,
'page' => $page,
'domainid' => $email_domainid,
'action' => $action
], $idna_convert->decode($result['email_full']) . ' -> ' . $sender_data['allowed_sender']);
The query does not scope senderid to the current customer or to the mailbox being edited. mail_sender_aliases.id is a global AUTO_INCREMENT primary key:
CREATE TABLE mail_sender_aliases (
id int(11) NOT NULL auto_increment,
email varchar(255) NOT NULL,
allowed_sender varchar(255) NOT NULL,
PRIMARY KEY (id)
)
That makes sender alias IDs enumerable. A customer who owns any mailbox with sender-alias management enabled can request the delete-confirmation page for their own mailbox while supplying foreign senderid values. Froxlor then renders the foreign allowed_sender string in the confirmation prompt.
Proof of Concept
Verified against Froxlor 2.3.6 on a fresh test install with mail.enable_allow_sender=1.
1. Create two customers, victim and attacker.
2. Give each customer one mailbox.
3. Add a sender alias for the victim mailbox:
info@victim.local -> leaked-sender@example.org
4. Log in as the attacker and request the
Details
Original advisory: https://github.com/advisories/GHSA-mr9h-45p9-fg8h
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10