FS#76 : **Title: Two-Factor Authentication Bypass ** in [admin.alwaysdata.com]

Status Closed
Assigned To

cbay
Private

Attached to Project: Security vulnerabilities
Opened by monty099 - 18.09.2024
Last edited by cbay - 19.09.2024

FS#76 - Title: Two-Factor Authentication Bypass in [admin.alwaysdata.com]

Title: Two-Factor Authentication Bypass Issue in [admin.alwaysdata.com]

Summary: A vulnerability has been identified that allows an attacker to bypass Two-Factor Authentication (2FA) and manage applications on a user’s account. The attacker can create and delete applications on the account of the user who invited them.

Steps to Reproduce: 1. Create a new account.
2. Add a member to manage your account and activate Two-Factor Authentication (2FA) for that member.
3. Add an application to your account.
4. Log in to the account of the invited member.
5. Navigate to the following link: [https://admin.alwaysdata.com/site/application/script/].
6. Observe that you can create a new application and delete existing applications on the account of the original account holder.

POC: https://drive.google.com/file/d/1v5PbiZaZZK7l30XgdZx7025tsZnDOOf8/view?usp=drivesdk

Impact: Two-Factor Authentication Bypass

Closed by cbay
19.09.2024 12:24
Reason for closing: Fixed

Comments (5)
Related Tasks (0/0)

cbay commented on 19.09.2024 07:21

Hello,

There's no 2FA authentication bypass at all, neither in your scenario nor in your video. Your video doesn't even show you connecting.

Kind regards,
Cyril

monty099 commented on 19.09.2024 08:29

Hi,

I have explained the steps and demonstrated that the invited user can access and manage the account holder's content without having to enable two-factor authentication (even though the account holder has required two-factor authentication for the user they invited).

Please try to reproduce this bug and let me know if you encounter any issues.

cbay commented on 19.09.2024 08:36

without having to enable two-factor authentication

Correct me if I'm wrong but your video doesn't show that. It neither shows the profile connecting nor the profile details. Can you do a video that includes those?

Besides, are you talking about 2FA authorization, not authentication?

Authentication means: are you able to connect to the admin?
Authoziation means: are you able to access some features once connected?

monty099 commented on 19.09.2024 10:15

Warning: Invalid argument supplied for foreach() in /home/ad-flyspray/www/flyspray/plugins/dokuwiki/dokuwiki_formattext.inc.php on line 69

cbay commented on 19.09.2024 12:24

Thanks, it's clearer. Let me rephrase the issue: if a profile gave another profile permission on their sites, but required that the profile had 2FA enabled to access them, that requirement was actually not enforced for accessing application scripts (only).

That bug is now fixed, you can claim your bounty by opening a ticket from the administration panel.

Thanks!

	Tasks related to this task (0)

Loading...

Keyboard shortcuts

Available keyboard shortcuts

Alt + ⇧ Shift + l Login Dialog / Logout
Alt + ⇧ Shift + a Add new task
Alt + ⇧ Shift + m My searches
Alt + ⇧ Shift + t focus taskid search

Tasklist

o open selected task
j move cursor down
k move cursor up

Task Details

n Next task
p Previous task
Alt + ⇧ Shift + e ↵ Enter Edit this task
Alt + ⇧ Shift + w watch task
Alt + ⇧ Shift + y Close Task

Task Editing

Alt + ⇧ Shift + s save task

Security vulnerabilities