Improper Authorization in hdinnovations/unit3d-community-edition

Valid

Reported on

Nov 17th 2021


Description

2FA bypass in in chat functions. The "twostep" middleware is not implemented under the vue.php routing.

Proof of Concept

1: Login into account with 2FA. Do not complete the 2FA process.
2: See all chat messages at https://[UNIT3D-URL]/api/chat/messages/1
3: If the CSRF token does not change per request, an attacker can use the logout CSRF token to sign all other malicious POST requests to the chat function

Impact

This vulnerability is capable of 2FA bypass in chat functions

Occurences

'twostep' middleware not implemented

We are processing your report and will contact the hdinnovations/unit3d-community-edition team within 24 hours. 17 days ago
haxatron
17 days ago

Researcher


I found this by accident because it looks like the demo site language has been changed to Hungarian and it looks like someone else enabled 2FA on the demo site :/

haxatron modified their report
17 days ago
HDVinnie validated this vulnerability 17 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
HDVinnie confirmed that a fix has been merged on aed196 17 days ago
HDVinnie has been awarded the fix bounty
vue.php#L23 has been validated