Fixing CVE-2022-42731

Merge branch 'CVE-2022-42731'
2022-10-10 17:35:26 +03:00 · 2022-10-10 17:21:31 +03:00 · 2022-10-10 17:20:47 +03:00 · 2022-10-01 12:45:18 +03:00 · 2022-10-01 12:41:15 +03:00
4 changed files with 17 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
-## 2.6.0 (dev)
+## 2.6.1
+* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
+  Thanks to 'SSE (Secure Systems Engineering)'
+
+## 2.5.1
+* Fix: CVE-2022-42731: related to the possibility of registration replay attack.
+  Thanks to 'SSE (Secure Systems Engineering)' 
+
+## 2.6.0
   * Adding Backup Recovery Codes (Recovery) as a method.
     Thanks to @Spitfireap for work, and  @peterthomassen for guidance.
   * Added: `RECOVERY_ITERATION` to set the number of iteration when hashing recovery token
--- a/README.md
+++ b/README.md
@@ -196,6 +196,8 @@ function some_func() {
 * [AndreasDickow](https://github.com/AndreasDickow)
 * [mnelson4](https://github.com/mnelson4)
 * [ezrajrice](https://github.com/ezrajrice)
+* [Spitfireap](https://github.com/Spitfireap)
+* [peterthomassen](https://github.com/peterthomassen)


 # Security contact information
--- a/mfa/FIDO2.py
+++ b/mfa/FIDO2.py
@@ -16,7 +16,7 @@ from .views import login, reset_cookie
 import datetime
 from .Common import get_redirect_url
 from django.utils import timezone
-
+from django.http import JsonResponse

 def recheck(request):
    """Starts FIDO2 recheck"""
@@ -49,13 +49,15 @@ def begin_registeration(request):
 def complete_reg(request):
    """Completes the registeration, called by API"""
    try:
+        if not "fido_state" in request.session:
+            return JsonResponse({'status': 'ERR', "message": "FIDO Status can't be found, please try again"})
        data = cbor.decode(request.body)

        client_data = CollectedClientData(data['clientDataJSON'])
        att_obj = AttestationObject((data['attestationObject']))
        server = getServer()
        auth_data = server.register_complete(
-            request.session['fido_state'],
+            request.session.pop('fido_state'),
            client_data,
            att_obj
        )
@@ -79,7 +81,7 @@ def complete_reg(request):
            client.captureException()
        except:
            pass
-        return HttpResponse(simplejson.dumps({'status': 'ERR', "message": "Error on server, please try again later"}))
+        return JsonResponse({'status': 'ERR', "message": "Error on server, please try again later"})


 def start(request):
--- a/setup.py
+++ b/setup.py
@@ -4,7 +4,7 @@ from setuptools import find_packages, setup

 setup(
    name='django-mfa2',
-    version='2.5.0',
+    version='2.6.1',
    description='Allows user to add 2FA to their accounts',
    long_description=open("README.md").read(),
    long_description_content_type="text/markdown",
Author	SHA1	Message	Date
Mohamed ElKalioby	2d7b80bf5a	Fixing CVE-2022-42731	2022-10-10 17:35:26 +03:00
Mohamed ElKalioby	8dba66b7b2	Merge branch 'CVE-2022-42731'	2022-10-10 17:21:31 +03:00
Mohamed ElKalioby	54db5a513b	Fixing CVE-2022-42731	2022-10-10 17:20:47 +03:00
Mohamed El-Kalioby	4903967c23	Released v2.6.0	2022-10-01 12:45:18 +03:00
Mohamed El-Kalioby	cb2149acf3	Merged v2.6.0	2022-10-01 12:41:15 +03:00