Security vulnerabilities

  • Status Closed
  • Assigned To
    cbay
  • Private
Attached to Project: Security vulnerabilities
Opened by monty099 - 18.09.2024
Last edited by cbay - 19.09.2024

FS#76 - **Title: Two-Factor Authentication Bypass ** in [admin.alwaysdata.com]

Title: Two-Factor Authentication Bypass Issue in [admin.alwaysdata.com]

Summary: A vulnerability has been identified that allows an attacker to bypass Two-Factor Authentication (2FA) and manage applications on a user’s account. The attacker can create and delete applications on the account of the user who invited them.

Steps to Reproduce: 1. Create a new account.
2. Add a member to manage your account and activate Two-Factor Authentication (2FA) for that member.
3. Add an application to your account.
4. Log in to the account of the invited member.
5. Navigate to the following link: [https://admin.alwaysdata.com/site/application/script/].
6. Observe that you can create a new application and delete existing applications on the account of the original account holder.

POC: https://drive.google.com/file/d/1v5PbiZaZZK7l30XgdZx7025tsZnDOOf8/view?usp=drivesdk

Impact: Two-Factor Authentication Bypass

Closed by  cbay
19.09.2024 12:24
Reason for closing:  Fixed
Admin
cbay commented on 19.09.2024 07:21

Hello,

There's no 2FA authentication bypass at all, neither in your scenario nor in your video. Your video doesn't even show you connecting.

Kind regards,
Cyril

Hi,

I have explained the steps and demonstrated that the invited user can access and manage the account holder's content without having to enable two-factor authentication (even though the account holder has required two-factor authentication for the user they invited).

Please try to reproduce this bug and let me know if you encounter any issues.

Admin
cbay commented on 19.09.2024 08:36
without having to enable two-factor authentication

Correct me if I'm wrong but your video doesn't show that. It neither shows the profile connecting nor the profile details. Can you do a video that includes those?

Besides, are you talking about 2FA authorization, not authentication?

Authentication means: are you able to connect to the admin?
Authoziation means: are you able to access some features once connected?

Warning: Invalid argument supplied for foreach() in /home/ad-flyspray/www/flyspray/plugins/dokuwiki/dokuwiki_formattext.inc.php on line 69
Admin
cbay commented on 19.09.2024 12:24

Thanks, it's clearer. Let me rephrase the issue: if a profile gave another profile permission on their sites, but required that the profile had 2FA enabled to access them, that requirement was actually not enforced for accessing application scripts (only).

That bug is now fixed, you can claim your bounty by opening a ticket from the administration panel.

Thanks!

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing