Missing Two Factor Authentication in /admin/login
State Duplicate (Closed)
Disclosed publicly 2019-01-07T12:50:52.913Z
Reported To
Weakness Violation of Secure Design Principles
Bounty
Collapse


Timeline
submitted a report to CFP Time .
2019-01-05T09:04:11.284Z

Hello Team,

First of all this report is just mainly concern for Suggested security improvements based on your policy page.
If and only if not mean possible, please do let me know. Thanks!

INTRODUCTION

Administrative panel is one of the main entry point for the website owner to manage their web apps from outside, making it expose not only to website owner but to public as well.

DESCRIPTION

It have found out that https://www.cfptime.org/ has an endpoint of admin/login which was a written django web application python framework (i should say based on the login page UI).

Though the web application looks okay, i do suggests that you'll need to setup an additional Two Factor Authentication on the login page to ensure that only the website owner can access the site internally and nothing else.

RECOMMENDATIONS

Things To Look For

  • Suggested security improvements

I highly recommend to install 2FA from the following modules in python django-otp,qrcode which uses otp token for verification since csrf token are mean to use only on public, while otp can only be received by the website owner itself only.

REFERENCES

Finally the references i used for this report, you might consider checking this also for even more ways to fortify your web application.
https://hackernoon.com/5-ways-to-make-django-admin-safer-eb7753698ac8

Impact

Prone to password guessing attacks/brute force attacks.

Regards,
Frans

  • 0 attachments:
paul_cfptime Activities::Comment
2019-01-05T14:35:01.096Z
Hi there, Thanks a lot for your report and the references! I will dive into it in the next couple of days and let you know how this goes. Thanks though,


phsmile Activities::Comment
2019-01-05T15:02:43.815Z
Thank you for your fast response @paul_cfptime, no worries just take your time :)


paul_cfptime Activities::BugDuplicate
2019-01-06T21:08:55.622Z
Pfew, went through all the submissions and unfortunately found a duplicate one. Sorry for that but thanks a lot for your time hunting this down!


phsmile Activities::Comment
2019-01-07T09:00:28.462Z
ow, i see @paul_cfptime, how does the first reporter goes? does it closed as resolved ?


paul_cfptime Activities::Comment
2019-01-07T09:02:33.106Z
Hey there, Yes, if you go back to the URL you will see that I implemented TOTP :) Thanks again for your hunting1


phsmile Activities::Comment
2019-01-07T09:04:58.196Z
Yeah, much better i should say :) Nice Patch @paul_cfptime . Can i request for public disclosure for this one ?


phsmile Activities::AgreedOnGoingPublic
2019-01-07T09:05:16.004Z


paul_cfptime Activities::AgreedOnGoingPublic
2019-01-07T12:50:52.887Z


paul_cfptime Activities::ReportBecamePublic
2019-01-07T12:50:53.208Z