2FAuth Blind Server-Side Request Forgery Vulnerability Allowing Internal Network Access

A blind server-side request forgery (SSRF) vulnerability has been identified in 2FAuth, a web application for managing Two-Factor Authentication accounts, prior to version 6.1.0. This vulnerability allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The issue arises because the image parameter in the OTP URL is not properly validated for internal or private IP addresses before HTTP requests are made. Although a previous fix added response validation to ensure only valid images are stored, HTTP requests are still sent to arbitrary URLs before this validation occurs.

Impact

Exploitation of this vulnerability allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. This could lead to cloud credential theft or exploitation of internal services that trust requests from localhost.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/v1/twofaccounts/preview' endpoint with an OTP URL that includes an image parameter pointing to an arbitrary URL. The request must include a valid X-XSRF-TOKEN and cookies for authentication. The server will process the request and make an HTTP request to the URL specified in the image parameter, bypassing validation for internal or private IP addresses.

Remediation

Users are advised to update to 2FAuth version 6.1.0 or later, where this vulnerability has been fixed.