GHSA-q4rm-m6xh-5pv7: Froxlor customer can create MySQL databases on disallowed servers via Mysqls.add API
Summary
The Mysqls.add API command (lib/Froxlor/Api/Commands/Mysqls.php) accepts a customer-controlled mysql_server parameter and only validates that the value is numeric and that the server index exists in userdata.inc.php. It never checks the value against the calling customer's allowed_mysqlserver allowlist. A customer can therefore create a database, plus a MySQL user with a password they choose, on any MySQL server the operator has configured — including servers that were explicitly excluded from that customer (e.g. a separate cluster, premium-tier host, or another tenant pool). The same allowed_mysqlserver check is correctly enforced in MysqlServer::get() / MysqlServer::listing() and in the customer-facing UI (customer_mysql.php), confirming the omission is a bug, not by-design.
Details
Vulnerable code path — lib/Froxlor/Api/Commands/Mysqls.php:69-99 (add()):
public function add()
{
if (($this->getUserDetail('mysqls_used') < $this->getUserDetail('mysqls') || ...) {
...
$customer = $this->getCustomerData('mysqls'); // line 80
$dbserver = $this->getParam('mysql_server', true, // line 81 — user-controlled
$this->getDefaultMySqlServer($customer));
...
$dbserver = Validate::validate($dbserver, ..., '/^[0-9]+$/', ...); // line 92 — numeric only
Database::needRoot(true, $dbserver, false); // line 93 — root ctx for ANY index
Database::needSqlData();
$sql_root = Database::getSqlData();
Database::needRoot(false);
if (!is_array($sql_root)) { // line 97 — only existence check
throw new Exception("Database server with index #" . $dbserver . " is unknown", 404);
}
...
$username = $dbm->createDatabase($newdb_params['loginname'], $password,
$dbserver, ...);
Details
Original advisory: https://github.com/advisories/GHSA-q4rm-m6xh-5pv7
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10