Listen to this Post
Froxlor’s API authentication (FroxlorRPC::validateAuth) does not enforce Two‑Factor Authentication. When an admin or customer enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.
The affected code in `lib/Froxlor/Api/FroxlorRPC.php` (lines 75‑105) retrieves the API key and secret from the database and verifies the key, secret, expiration, and API permissions. It completely omits any check for the `type_2fa` field or any call to FroxlorTwoFactorAuth::verifyCode(). There are zero references to 2FA, TOTP, or `type_2fa` in the entire `lib/Froxlor/Api/` directory.
An attacker who obtains a leaked API key+secret for a 2FA‑protected account can therefore access all 165 API functions without providing a second factor. The second factor is simply never requested — no brute force is needed, and the architectural flaw is distinct from previous rate‑limiting issues (such as CVE‑2023‑3173).
The vulnerability exists in Froxlor up to and including version 2.3.5. A clean Docker install of 2.3.5 (Debian Bookworm, PHP 8.2, Apache 2.4) demonstrates the issue: the web UI redirects to a 2FA page after password submission, while the same API key+secret grants full access to Customers.listing, Domains.listing, Ftps.listing, Emails.listing, Mysqls.listing, Certificates.listing, and 160+ other commands.
DailyCVE Form:
Platform: Froxlor Version: 2.3.5 Vulnerability: 2FA bypass Severity: Critical date: 2026-06-03 Prediction: Not yet patched
What Undercode Say:
Confirm no 2FA code in API directory
grep -rn '2fa|totp|two.factor|FroxlorTwoFactor' lib/Froxlor/Api/
(no output)
API access without TOTP
curl -s -u "API_KEY:API_SECRET" \
-H 'Content-Type: application/json' \
-d '{"command":"Customers.listing","params":{}}' \
https://panel.example.com/api.php
Additional sensitive commands
curl -s -u "KEY:SECRET" -d '{"command":"Domains.listing"}' .../api.php
curl -s -u "KEY:SECRET" -d '{"command":"Ftps.listing"}' .../api.php
curl -s -u "KEY:SECRET" -d '{"command":"Emails.listing"}' .../api.php
curl -s -u "KEY:SECRET" -d '{"command":"Mysqls.listing"}' .../api.php
curl -s -u "KEY:SECRET" -d '{"command":"Certificates.listing"}' .../api.php
curl -s -u "KEY:SECRET" -d '{"command":"DomainZones.listing","params":{"domainname":"example.com"}}' .../api.php
Automated PoC script
python3 poc.py https://panel.example.com API_KEY API_SECRET
Exploit:
The exploit requires only a valid API key+secret for a 2FA‑protected account. No TOTP code is needed. An attacker can:
1. Obtain an API key+secret through database leaks, log files, or compromised automation scripts.
2. Send authenticated requests directly to `/api.php` using HTTP Basic Authentication (the API key as username, the secret as password).
3. Execute any of the 165 API commands, including write operations like Customers.update, Domains.add, and Ftps.add.
Protection:
Add 2FA verification to FroxlorRPC::validateAuth(). After the existing database lookup, query the user’s `type_2fa` status. If type_2fa != 0, require a TOTP code via a custom header (e.g., X-2FA-Code) or a `totp_code` parameter. Reject the request if the code is missing or invalid.
Alternatively, disable API key creation for accounts with 2FA enabled, or force re‑verification of 2FA before generating a new API key.
Impact:
- Customer data (PII) – readable and modifiable.
- Domains and DNS records – full control.
- Email accounts – create, read, delete.
- FTP accounts – home directories and credentials exposed.
- MySQL databases – full management.
- SSL certificates – private keys readable.
- All 165 API functions, including write operations, accessible without the second factor.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
