From bee3f6131fbac1358f9f5c9f14d7074cff9bac1a Mon Sep 17 00:00:00 2001 From: root Date: Wed, 13 Dec 2023 11:14:54 +0100 Subject: [PATCH] 3.1.1 Fix for Vulnerability: Bypassing 2FA Authentication (Hamidreza Faghani) --- includes/config/include.php | 2 +- includes/core/login.js.php | 7 ++-- install/install.queries.php | 2 +- install/upgrade_run_3.1.php | 6 +++ sources/main.queries.php | 74 +++++++++++++++++++++++++++++-------- 5 files changed, 71 insertions(+), 20 deletions(-) diff --git a/includes/config/include.php b/includes/config/include.php index b265e366d..34177f43c 100755 --- a/includes/config/include.php +++ b/includes/config/include.php @@ -17,7 +17,7 @@ */ define('TP_VERSION', '3.1.1'); define("UPGRADE_MIN_DATE", "1702452416"); -define('TP_VERSION_MINOR', '6'); +define('TP_VERSION_MINOR', '7'); define('TP_TOOL_NAME', 'Teampass'); define('TP_ONE_DAY_SECONDS', 86400); define('TP_ONE_WEEK_SECONDS', 604800); diff --git a/includes/core/login.js.php b/includes/core/login.js.php index 99f27b888..a5acad0f5 100755 --- a/includes/core/login.js.php +++ b/includes/core/login.js.php @@ -818,7 +818,8 @@ function getGASynchronization() { data = { 'login': $("#login").val(), 'pw': $("#pw").val(), - 'send_mail': 1 + 'send_mail': 1, + 'token': CreateRandomString(100) } $.post( 'sources/main.queries.php', { @@ -874,9 +875,9 @@ function send_user_new_temporary_ga_code() { data = { 'login': $("#login").val(), 'pwd': $("#pw").val(), - 'send_email': 1 + 'send_email': 1, + 'token': CreateRandomString(100) } - //console.log(data); $.post( 'sources/main.queries.php', { type: 'ga_generate_qr', diff --git a/install/install.queries.php b/install/install.queries.php index 1e87bf018..87ae4fe76 100755 --- a/install/install.queries.php +++ b/install/install.queries.php @@ -1196,7 +1196,7 @@ function encryptFollowingDefuse($message, $ascii_key) `token` varchar(255) NOT NULL, `reason` varchar(255) NOT NULL, `creation_timestamp` varchar(50) NOT NULL, - `end_timestamp` varchar(50) NOT NULL, + `end_timestamp` varchar(50) DEFAULT NULL, PRIMARY KEY (`id`) ) CHARSET=utf8;' ); diff --git a/install/upgrade_run_3.1.php b/install/upgrade_run_3.1.php index 033c0f6f1..dce75f15f 100644 --- a/install/upgrade_run_3.1.php +++ b/install/upgrade_run_3.1.php @@ -112,6 +112,12 @@ ) CHARSET=utf8;' ); +// Alter table TOKENS +mysqli_query( + $db_link, + 'ALTER TABLE `' . $pre . 'tokens` CHANGE `end_timestamp` `end_timestamp` VARCHAR(50) CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci NULL;' +); + //---verifyPasswordHash($post_pwd, $data['pw']) === false + isSetArrayOfValues([$post_pwd, $dataUser['pw']]) === true + && $pwdlib->verifyPasswordHash($post_pwd, $dataUser['pw']) === false && $post_demand_origin !== 'users_management_list' ) { // checked the given password @@ -1070,7 +1072,7 @@ function generateQRCode( ); } - if (empty($data['email']) === true) { + if (empty($dataUser['email']) === true) { return prepareExchangedData( array( 'error' => true, @@ -1079,6 +1081,38 @@ function generateQRCode( 'encode' ); } + + // Check if token already used + $dataToken = DB::queryfirstrow( + 'SELECT end_timestamp, reason + FROM ' . prefixTable('tokens') . ' + WHERE token = %s AND user_id = %i', + $post_token, + $dataUser['id'] + ); + $tokenId = ''; + if (DB::count() > 0 && is_null($dataToken['end_timestamp']) === false && $dataToken['reason'] === 'auth_qr_code') { + // This token has already been used + return prepareExchangedData( + array( + 'error' => true, + 'message' => 'TOKEN already used',//$lang->get('no_email_set'), + ), + 'encode' + ); + } elseif(DB::count() === 0) { + // Store token for this action + DB::insert( + prefixTable('tokens'), + array( + 'user_id' => (int) $dataUser['id'], + 'token' => $post_token, + 'reason' => 'auth_qr_code', + 'creation_timestamp' => time(), + ) + ); + $tokenId = DB::insertId(); + } // generate new GA user code $tfa = new TwoFactorAuth($SETTINGS['ga_website_name']); @@ -1092,11 +1126,21 @@ function generateQRCode( 'ga_temporary_code' => $gaTemporaryCode, ], 'id = %i', - $data['id'] + $dataUser['id'] ); // Log event - logEvents($SETTINGS, 'user_connection', 'at_2fa_google_code_send_by_email', (string) $data['id'], stripslashes($post_login), stripslashes($post_login)); + logEvents($SETTINGS, 'user_connection', 'at_2fa_google_code_send_by_email', (string) $dataUser['id'], stripslashes($post_login), stripslashes($post_login)); + + // Update token status + DB::update( + prefixTable('tokens'), + [ + 'end_timestamp' => time(), + ], + 'id = %i', + $tokenId + ); // send mail? if ((int) $post_send_mail === 1) { @@ -1107,7 +1151,7 @@ function generateQRCode( $gaTemporaryCode, $lang->get('email_ga_text') ), - $data['email'], + $dataUser['email'], $SETTINGS ); @@ -1116,10 +1160,10 @@ function generateQRCode( array( 'error' => false, 'message' => $post_send_mail, - 'email' => $data['email'], + 'email' => $dataUser['email'], 'email_result' => str_replace( '#email#', - '' . obfuscateEmail($data['email']) . '', + '' . obfuscateEmail($dataUser['email']) . '', addslashes($lang->get('admin_email_result_ok')) ), ), @@ -1132,10 +1176,10 @@ function generateQRCode( array( 'error' => false, 'message' => '', - 'email' => $data['email'], + 'email' => $dataUser['email'], 'email_result' => str_replace( '#email#', - '' . obfuscateEmail($data['email']) . '', + '' . obfuscateEmail($dataUser['email']) . '', addslashes($lang->get('admin_email_result_ok')) ), ),