Headline
GHSA-wmx7-pw49-88jx: Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.
Impact
An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim’s credentials.
A TOTP token can be used multiple times to establish an authenticated session. RFC 6238 insists that an OTP must not be used more than once.
The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates this property with requirement 2.8.4.
Verify that time-based OTP can be used only once within the validity period.
It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.
Patches
This has been patched in Craft 5.2.3.
References:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use
https://github.com/craftcms/cms/releases/tag/5.2.3
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.
Impact
An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim’s credentials.
A TOTP token can be used multiple times to establish an authenticated session.
RFC 6238 insists that an OTP must not be used more than once.
The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates
this property with requirement 2.8.4.
Verify that time-based OTP can be used only once within the validity period.
It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.
Patches
This has been patched in Craft 5.2.3.
References:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use
https://github.com/craftcms/cms/releases/tag/5.2.3
References
- GHSA-wmx7-pw49-88jx
- craftcms/cms@7c790fa
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use