Open Closed

Critical security bug: Should change password on next login setting bypasses 2FA requirements #5585


User avatar
0
mkinc created
  • ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
  • UI Type: Angular
  • Database System: Unknown
  • Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
  • Steps to reproduce the issue:
    • Log in as admin
    • Create a new user 'test1'
    • Logout
    • Login as test1
    • Set up 2FA authenticator app and enable 2FA
    • Logout
    • Login as test1 and confirm 2FA works as expected (without checking remember browser)
    • Logout
    • Login as admin
    • Edit test1 user to enable 'Should change password on next login'
    • Logout
    • In login page, enter credentials for test1 user
  • Expected behaviour: Before asking for a new password, 2FA should be completed.
  • Actual behaviour:
    • I am asked for current password, new password, new password (repeat) and after submitting that I can login without any 2FA.
    • In order to confirm 2FA is still forced, logout, login again and you will be correctly be asked for 2FA
  • This is a critical security bug where 2FA can be bypassed even if the 2FA is forced.

Please let us know when this will be fixed + refund the question. Cheers.


2 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will check and fix it on the 7.3 patch. Thanks.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    https://github.com/abpframework/abp/pull/17369

    Use public AbpSignInManager SignInManager { get; set; } to check the 2fa.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38