[H-16] 2FA verify skips ban/suspension/email-verified checks

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: HIGH

Location: src/Controllers/TwoFactorController.php:132-143

Bug: Post-credential user state (banned, suspended, email un-verified) not re-checked before completing login.

Fix: Re-apply the role !== 1 / suspended_until / email_verified_at guards after fetching user.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:39pm

Resolved.

TwoFactorController::verify now re-applies the account-state checks from handleLogin after fetching the user (src/Controllers/TwoFactorController.php):

  • role === 1 → banned → reject
  • suspended_until > now → suspended → reject
  • email_verified_at empty → unverified → reject

If any of these fail, the pending 2FA session keys are unset so the stale attempt can't be retried without re-authenticating. A user whose role drops to banned between the password step and the TOTP step can no longer complete login.

Locking this thread.

Related Discussions

[L-9] handleVerifyEmail doesn't regenerate session
Security Issues · 0 replies · 0 views
[M-8] Attempt-counter TOCTOU on verify-email / reset-password
Security Issues · 0 replies · 2 views
[H-23] AuthMiddleware 60s validation cache bypasses ban/suspension checks
Security Issues · 0 replies · 0 views
[H-20] checkSslStatus / updateNginxSslConfig interpolate $domain without re-validation
Security Issues · 0 replies · 1 views
[H-10] toggleSubscription doesn't verify target visibility
Security Issues · 0 replies · 0 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy