Tags

Security update for v2.3.0

This update fixes two low-impact security-related bugs in uffd.

1) TOTP code reuse: Uffd supports Time-based one-time password (TOTP) as a 2FA
method. In addition to being short-lived (the "time-based" part), TOTP codes
are supposed to be single-use (the "one-time" part) to be more resistant
against phishing and eavesdropping. Until this release however, uffd allowed
the same code to be used multiple times during it's validity period.

2) Broken OAuth2 authorization code invalidation: When a user authenticates
with an SSO-connected application, a secret is transported in an URL query
parameter when the user is redirected back from the SSO to the application. The
application then uses this secret, the authorization code, to establish the
user's identity. Anyone in possession of a valid authorization code can use it
to impersonate the user it was issue for at the application it was issued for.

Authorization codes are supposed to be single-use. Due to a bug introduced in
v1.1.0 however, authorization codes were not invalidated on use and remained
valid until they expired. Thanks to the short lifetime of authorization codes,
the security impact of this issue is relativly low, unless an attacker has
live access to webserver or application logs which usually include URL query
parameters.