GHSA-7rhv-h82h-vpjh: EC-CUBE has a Vulnerability that Allows MFA Bypass in the Administrative Interface

Vulnerability Allowing MFA Bypass

Affected EC-CUBE Versions

Versions: 4.1.0 – 4.3.1

Vulnerability Overview

If an administrator’s ID and password are compromised, an issue exists that allows an attacker to bypass the normally required two-factor authentication (2FA) and log in to the administrative interface.

Severity and Impact

CVSS v3.1 score
Base score: 6.2 / Temporal score: 5.7 / Environmental score (after mitigation and countermeasures): 0.0

An attacker can forcibly overwrite the 2FA configuration of an account with administrative privileges. As a result, the legitimate administrator can be locked out, while the attacker can log in to the administrative interface and perform unauthorized actions such as viewing sensitive information or tampering with the website.

Root Cause Details

There are flaws in the access control implementation for the 2FA settings page (/admin/two_factor_auth/set).

1. TwoFactorAuthListener.php
   The route for the 2FA settings page (admin_two_factor_auth_set) is included in the list of routes excluded from the 2FA authentication check.

2. TwoFactorAuthController.php
   Even for users who already have 2FA configured, the implementation allows reconfiguration (overwriting) of the 2FA secret key without passing 2FA authentication.

Attack Preconditions and Steps

Preconditions:

• The attacker knows the administrative user’s ID and password.
• 2FA is enabled for that user.

Attack Steps:

1. Attempt to log in using the ID and password.
2. When the 2FA code entry screen is displayed, do not enter a code; instead, directly modify the URL to access /admin/two_factor_auth/set.
3. Because access is not denied, the attacker can generate and save (overwrite) a new 2FA secret key.

MFAバイパスが可能な脆弱性

EC-CUBEバージョン

バージョン: 4.1.0 ~ 4.3.1