Admidio Two-Factor Authentication Authorization Bypass Vulnerability

A logic error in Admidio's two-factor authentication (2FA) reset process prior to version 5.0.9 allows non-admin users to remove 2FA for other users, including administrators. This vulnerability can be exploited by group leaders with profile edit rights on admin accounts, effectively disabling 2FA and reducing admin security to password-only authentication.

Impact

Exploitation of this vulnerability allows group leaders to disable 2FA on administrator accounts, lowering their security to password-only access. This change could facilitate credential stuffing or brute force attacks against these accounts.

Reproduction

To reproduce this vulnerability, a non-admin group leader with profile edit rights on an admin account can send a POST request to the two-factor authentication module, including the UUID of the admin user. The server will process the request and remove 2FA from the admin account. In contrast, if the same user attempts to reset their own 2FA, the request will be denied with a 'SYS_NO_RIGHTS' error, confirming the authorization logic flaw.

Remediation

Users are advised to update to Admidio version 5.0.9, which addresses this vulnerability by correcting the authorization check logic. Instructions for updating can be found on the Admidio website.