Kalcaddle Kodbox Improper Authentication Vulnerability in Two-Factor Authentication Process

A vulnerability exists in Kalcaddle Kodbox version 1.64, specifically within the Password Login component's two-factor authentication (2FA) implementation. The issue arises in the 'loginAfter/tfaVerify' function of the file '/workspace/source-code/plugins/client/controller/tfa/index.class.php'. This vulnerability allows improper authentication to occur remotely, with high complexity and difficult exploitability. When 2FA is enabled, the login process only initiates a 2FA challenge if the client explicitly indicates 'withTfa=0'. If this parameter is omitted, the server bypasses 2FA and issues a full access token based solely on the username and password. Additionally, during the 2FA verification step, setting 'wiotTfa=1' causes the 'tfaVerify()' function to skip one-time password validation and complete the login process directly. As a result, any attacker with valid credentials can log in without providing a second factor, even for accounts that require 2FA, including administrative accounts.

Impact

Exploitation of this vulnerability allows for improper authentication, bypassing two-factor authentication requirements and potentially granting unauthorized access to user accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, log in to a Kalcaddle Kodbox 1.64 account with valid credentials. If 2FA is enabled, the login process will only prompt for a second factor if 'withTfa=0' is specified. If 'withTfa' is omitted, the server will skip 2FA and grant access based on the username and password alone. This flaw can be exploited by omitting the 'withTfa' parameter, thereby bypassing the 2FA challenge. Alternatively, during the 2FA verification step, 'wiotTfa=1' can be used to bypass one-time password validation and complete the login process, effectively circumventing the 2FA requirement.

Remediation

To address this vulnerability, it is recommended to enforce two-factor authentication on the server side whenever it is enabled. Remove or tightly control client-side bypass flags such as 'withTfa' and 'wiotTfa'. Ensure that all successful logins depend on a verified 2FA code linked to a secure, short-lived server-generated challenge.