Executive Summary

This vulnerability exists in FileRise versions prior to 3.12.0, specifically in the /api/totp_setup.php endpoint. When a user has passed only the password check but is not fully authenticated (state pending_login_user), this endpoint can be called. If the target account already has TOTP (Time-based One-Time Password) configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR code PNG instead of refusing or generating a new secret.

An attacker who already knows the victim's password can exploit this flaw to retrieve the live TOTP secret, derive a valid one-time code, and submit it to /api/totp_verify.php. This allows the attacker to obtain a fully authenticated session without needing the victim's physical authenticator device.

This vulnerability was fixed in FileRise version 3.12.0.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant security impact because it allows an attacker who has obtained a user's password to bypass the second factor of authentication (TOTP).

By retrieving the live TOTP secret, the attacker can generate valid one-time codes and fully authenticate as the victim without possessing the victim's authenticator device.

This effectively defeats the purpose of two-factor authentication, increasing the risk of unauthorized access to sensitive files and data managed by FileRise.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in FileRise version 3.12.0. To mitigate this vulnerability, you should upgrade your FileRise installation to version 3.12.0 or later.

Additionally, ensure that accounts with TOTP configured are protected by strong passwords to prevent attackers who have obtained passwords from exploiting this issue.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker who knows a victim's password to retrieve the victim's live TOTP secret, bypassing two-factor authentication and gaining full account access without the victim's authenticator device.

Such unauthorized access can lead to exposure of sensitive personal or organizational data, which may violate data protection requirements under standards like GDPR and HIPAA that mandate strong access controls and protection of confidential information.

Because the vulnerability results in high impacts on confidentiality and integrity, it undermines compliance with these regulations by failing to adequately protect user authentication and sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the /api/totp_setup.php endpoint when a session is in the pending_login_user state. Detection can focus on monitoring access to this endpoint, especially requests made after password authentication but before full TOTP verification.

You can detect potential exploitation attempts by inspecting web server logs or network traffic for calls to /api/totp_setup.php from sessions that have not completed full authentication.

Suggested commands to detect such activity include:

• Using grep to find requests to the vulnerable endpoint in web server logs: grep "/api/totp_setup.php" /var/log/nginx/access.log
• Using tcpdump or tshark to capture HTTP requests to the endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep "/api/totp_setup.php"
• Analyzing application logs for sessions in the pending_login_user state accessing /api/totp_setup.php.

Note that detection requires correlating session states and endpoint access, which may require custom logging or monitoring within the FileRise application or its authentication system.

Useful 0 Not Useful 0