Horilla HR Software Two-Factor Authentication Bypass Vulnerability

A vulnerability exists in Horilla HR Software in versions 1.4.0 and prior to 1.5.0, allowing attackers to bypass two-factor authentication (2FA) by exploiting a flaw in the one-time password (OTP) handling logic. When an OTP expires, the server returns None. If an attacker omits the otp field from their POST request, the user-supplied OTP also becomes None, causing the equality check to pass. This flaw enables attackers to complete the 2FA process without a valid OTP, potentially compromising accounts and sensitive HR data, especially if administrative accounts are targeted.

Impact

Exploitation of this vulnerability allows an attacker to bypass the OTP requirement for two-factor authentication, gaining unauthorized access to user accounts. This could lead to account takeover and unauthorized access to sensitive data. Targeting administrative accounts could result in manipulation of employee records and widespread system abuse.

Reproduction

To reproduce this vulnerability, log into a Horilla HR Software account and request the OTP sent via email. After waiting for the OTP to expire, remove the otp field from the POST request, leaving only the csrfmiddlewaretoken and session cookie. Send the request, and the OTP bypass will be successful, as the server will accept the omitted OTP as valid.

Remediation

Users can upgrade to Horilla HR Software version 1.5.0, which addresses this vulnerability.