From 8f5bd214a49a73edf50041ec35b5e6b97ccef12f Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Wed, 4 Jul 2018 11:41:56 -0700
Subject: [PATCH 1/3] [Security] Address 2FA bypass in password reset
 functionality

Thanks to Trixter#0001 on Discord for this security report.

There was a two-factor authentication bypass present in all previous versions of Pterodactyl that would allow a user to login without providing a token by going through the password reset process. A person would still have to have access to the targeted account's email, but if they did manage to get a password reset link they would be able to reset the account password and then proceede to login without a token being required.

This logic has since been changed to check if 2FA is enabled on an account, and if so they will NOT be logged in when their password is changed. This will force them to continue through the normal login pathway where a token will be needed.

Overall the impact of this issue is minor, but I am still addressing it and disclosing the mechanism behind it.
---
 .../Auth/ResetPasswordController.php          | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)

diff --git a/app/Http/Controllers/Auth/ResetPasswordController.php b/app/Http/Controllers/Auth/ResetPasswordController.php
index 226958416..d1f21994f 100644
--- a/app/Http/Controllers/Auth/ResetPasswordController.php
+++ b/app/Http/Controllers/Auth/ResetPasswordController.php
@@ -2,8 +2,14 @@
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
+use Illuminate\Support\Str;
+use Prologue\Alerts\AlertsMessageBag;
+use Illuminate\Contracts\Hashing\Hasher;
+use Illuminate\Auth\Events\PasswordReset;
+use Illuminate\Contracts\Events\Dispatcher;
 use Pterodactyl\Http\Controllers\Controller;
 use Illuminate\Foundation\Auth\ResetsPasswords;
+use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
 
 class ResetPasswordController extends Controller
 {
@@ -16,6 +22,47 @@ class ResetPasswordController extends Controller
      */
     public $redirectTo = '/';
 
+    /**
+     * @var bool
+     */
+    protected $hasTwoFactor = false;
+
+    /**
+     * @var \Prologue\Alerts\AlertsMessageBag
+     */
+    private $alerts;
+
+    /**
+     * @var \Illuminate\Contracts\Events\Dispatcher
+     */
+    private $dispatcher;
+
+    /**
+     * @var \Illuminate\Contracts\Hashing\Hasher
+     */
+    private $hasher;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
+     */
+    private $userRepository;
+
+    /**
+     * ResetPasswordController constructor.
+     *
+     * @param \Prologue\Alerts\AlertsMessageBag                         $alerts
+     * @param \Illuminate\Contracts\Events\Dispatcher                   $dispatcher
+     * @param \Illuminate\Contracts\Hashing\Hasher                      $hasher
+     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface $userRepository
+     */
+    public function __construct(AlertsMessageBag $alerts, Dispatcher $dispatcher, Hasher $hasher, UserRepositoryInterface $userRepository)
+    {
+        $this->alerts = $alerts;
+        $this->dispatcher = $dispatcher;
+        $this->hasher = $hasher;
+        $this->userRepository = $userRepository;
+    }
+
     /**
      * Return the rules used when validating password reset.
      *
@@ -29,4 +76,49 @@ class ResetPasswordController extends Controller
             'password' => 'required|confirmed|min:8',
         ];
     }
+
+    /**
+     * Reset the given user's password. If the user has two-factor authentication enabled on their
+     * account do not automatically log them in. In those cases, send the user back to the login
+     * form with a note telling them their password was changed and to log back in.
+     *
+     * @param \Illuminate\Contracts\Auth\CanResetPassword|\Pterodactyl\Models\User $user
+     * @param string                                                               $password
+     *
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    protected function resetPassword($user, $password)
+    {
+        $user = $this->userRepository->update($user->id, [
+            'password' => $this->hasher->make($password),
+            $user->getRememberTokenName() => Str::random(60),
+        ]);
+
+        $this->dispatcher->dispatch(new PasswordReset($user));
+
+        // If the user is not using 2FA log them in, otherwise skip this step and force a
+        // fresh login where they'll be prompted to enter a token.
+        if (! $user->use_totp) {
+            $this->guard()->login($user);
+        }
+
+        $this->hasTwoFactor = $user->use_totp;
+    }
+
+    /**
+     * Get the response for a successful password reset.
+     *
+     * @param string $response
+     * @return \Illuminate\Http\RedirectResponse|\Illuminate\Http\JsonResponse
+     */
+    protected function sendResetResponse($response)
+    {
+        if ($this->hasTwoFactor) {
+            $this->alerts->success('Your password was successfully updated. Please log in to continue.')->flash();
+        }
+
+        return redirect($this->hasTwoFactor ? route('auth.login') : $this->redirectPath())
+            ->with('status', trans($response));
+    }
 }

From d9948f2876b4dd8bf21c949da96cff238597139a Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Wed, 4 Jul 2018 11:42:57 -0700
Subject: [PATCH 2/3] Update changelog

---
 CHANGELOG.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bdb7ae655..ab0365a17 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.7.9 (Derelict Dermodactylus)
+### Fixed
+* Fixes a two-factor authentication bypass present in the password reset process for an account.
+
 ## v0.7.8 (Derelict Dermodactylus)
 ### Added
 * Nodes can now be put into maintenance mode to deny access to servers temporarily.

From 6419b1cf81e8f76ae79067f4fda51a192da341ff Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Wed, 4 Jul 2018 18:11:43 -0700
Subject: [PATCH 3/3] Handle password reset logic change for 2fa

---
 resources/assets/scripts/components/auth/ResetPassword.vue | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/resources/assets/scripts/components/auth/ResetPassword.vue b/resources/assets/scripts/components/auth/ResetPassword.vue
index cda6716ac..ebfc588f8 100644
--- a/resources/assets/scripts/components/auth/ResetPassword.vue
+++ b/resources/assets/scripts/components/auth/ResetPassword.vue
@@ -97,6 +97,11 @@
                             throw new Error('An error was encountered while processing this login.');
                         }
 
+                        if (response.data.send_to_login) {
+                            self.success('Your password has been reset, please login to continue.');
+                            return self.$router.push({ name: 'login' });
+                        }
+
                         return window.location = response.data.redirect_to;
                     })
                     .catch(function (err) {