misc_pterodactyl-panel/app/Http/Controllers
Dane Everitt 8f5bd214a4
[Security] Address 2FA bypass in password reset functionality
Thanks to Trixter#0001 on Discord for this security report.

There was a two-factor authentication bypass present in all previous versions of Pterodactyl that would allow a user to login without providing a token by going through the password reset process. A person would still have to have access to the targeted account's email, but if they did manage to get a password reset link they would be able to reset the account password and then proceede to login without a token being required.

This logic has since been changed to check if 2FA is enabled on an account, and if so they will NOT be logged in when their password is changed. This will force them to continue through the normal login pathway where a token will be needed.

Overall the impact of this issue is minor, but I am still addressing it and disclosing the mechanism behind it.
2018-07-04 11:41:56 -07:00
..
Admin Apply fixes from StyleCI 2018-06-02 21:32:26 +00:00
API/Remote Fix app/ spelling errors 2018-05-13 11:12:41 -04:00
Api Fix exception thrown due to lack of pre-validation on the model. 2018-05-20 17:11:52 -07:00
Auth [Security] Address 2FA bypass in password reset functionality 2018-07-04 11:41:56 -07:00
Base Logout other sessions when password is changed 2018-06-30 17:50:58 -07:00
Daemon Send an email when a server is marked as installed (#1213) 2018-07-01 14:34:40 -07:00
Server Allow creating subuser with no permissions 2018-06-30 18:25:46 -07:00
Controller.php Initial Commit of Files 2015-12-06 13:58:49 -05:00