Improper Authorization in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 17th 2021

Description

2FA bypass in in chat functions. The "twostep" middleware is not implemented under the vue.php routing.

Proof of Concept

1: Login into account with 2FA. Do not complete the 2FA process.
2: See all chat messages at https://[UNIT3D-URL]/api/chat/messages/1
3: If the CSRF token does not change per request, an attacker can use the logout CSRF token to sign all other malicious POST requests to the chat function

Impact

This vulnerability is capable of 2FA bypass in chat functions

Occurrences

vue.php L23

'twostep' middleware not implemented

References

2FA bypass CWE type

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 2 years ago

haxatron

commented 2 years ago

Researcher

I found this by accident because it looks like the demo site language has been changed to Hungarian and it looks like someone else enabled 2FA on the demo site :/

haxatron modified the report

2 years ago

HDVinnie validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

HDVinnie marked this as fixed with commit aed196 2 years ago

HDVinnie has been awarded the fix bounty

This vulnerability will not receive a CVE

vue.php#L23 has been validated

to join this conversation