Froxlor API Authentication Bypasses Two-Factor Authentication

FroxlorRPC::validateAuth does not enforce Two-Factor Authentication. API requests authenticated with only an API key and secret succeed without a TOTP challenge, even when the user has 2FA enabled.

All Froxlor installations with API enabled and users (admins or customers) who have enabled 2FA. An attacker with a leaked API key+secret can access all 165 API functions, including read/write operations on customer data, domains, email accounts, FTP accounts, MySQL databases, SSL certificates, and DNS records.

Apply the suggested fix to add 2FA verification in FroxlorRPC::validateAuth(), or disable API access for accounts with 2FA enabled until a patch is released.