CVE-2020-10236

A local attacker on the same system can exploit the predictable temporary file name `/tmp/userdata.inc.php` during Froxlor installation [ref_id=1]. Because the filename is static, the attacker can pre-create a symlink or a file at that path to either cause a denial of service (by preventing the installer from writing the config) or to read the configuration data (which may contain sensitive credentials) after the installer writes it [CWE-20]. The attack requires local access to the machine and that the Froxlor installation directory is not writable, triggering the fallback to `/tmp` [patch_id=1702830].

The vulnerability resides in the `_createUserdataConf` method within `install/lib/class.FroxlorInstall.php`. When the installation directory is not writable, the old code fell through to a branch that wrote the configuration file to a hard-coded path `/tmp/userdata.inc.php` using `fopen('/tmp/userdata.inc.php', 'w')` [patch_id=1702830]. The language strings in `install/lng/english.lng.php`, `french.lng.php`, and `german.lng.php` also referenced the static `/tmp/userdata.inc.php` filename [patch_id=1702830].

The patch replaces the hard-coded `/tmp/userdata.inc.php` with a call to `tempnam(sys_get_temp_dir(), 'fx')`, which generates an unpredictable filename [patch_id=1702830]. The new code also uses `touch()` and sets permissions to `0400` before writing, improving security. The language strings are updated to use a `%s` placeholder so the dynamic filename is displayed to the administrator, who is then instructed to move the file to the correct location (`lib/userdata.inc.php`) [patch_id=1702830]. This eliminates the race condition and predictability that allowed local attackers to interfere with or steal the configuration file.