FacturaScripts 2FA Bypass: Unauthenticated TOTP Brute-Force Leading to Account Takeover
The 2FA validation endpoint in FacturaScripts accepts unauthenticated TOTP codes without rate-limiting, CSRF protection, or prior password verification, enabling rapid brute-force attacks against any 2FA-enabled user account.
CVE References
Affected
Vulnerability Description
The twoFactorValidationAction() method in Core/Controller/Login.php implements a critical authentication bypass. The endpoint accepts POST requests containing only a username (fsNick) and TOTP code (fsTwoFactorCode) without requiring prior password authentication or CSRF token validation. This violates the fundamental security principle that 2FA should be a second factor—not a standalone authentication mechanism. The root cause is architectural: the 2FA handler lacks three critical controls present in other authentication handlers in the same file: (1) password verification, (2) CSRF token validation, and (3) pre-request rate-limiting via the userHasManyIncidents() guard function.
PoC Significance & Exploitation Mechanics
The PoC demonstrates a high-reliability, low-friction attack path. Google Authenticator (and similar TOTP implementations) maintain an 8-window verification window by default in FacturaScripts, meaning 17 distinct valid codes exist simultaneously at any moment, each valid for ~4 minutes. This creates an attack surface of approximately 40,800 guesses needed to achieve 50% success probability against a single target account. On standard LAMP infrastructure, an attacker can sustain ~400 requests/second from a single source, making complete account compromise achievable in minutes without authentication, rate-limiting, or detectability constraints. The attack requires no prior credential compromise and bypasses 2FA entirely—the very mechanism intended to prevent such scenarios.
Detection Guidance
Log Indicators:
- Repeated failed TOTP submissions to
/login?action=two-factor-validationfrom a single source IP in short time intervals (>50 attempts in <5 minutes is highly suspicious) - Successful 2FA validation immediately following reconnaissance (login page enumeration) without an intervening successful password submission
- Session creation events where
fsLogkeycookies are issued without correspondingloginActionentries in authentication logs - POST requests to the 2FA endpoint lacking standard browser headers (User-Agent, Referer) or originating from unusual geographic locations
Detection Signatures:
- Monitor for HTTP 200 responses to
POST /login?action=two-factor-validationfollowing multiple HTTP 401/403 responses to the same endpoint - Alert on successful session establishment without corresponding password-authentication log entry in the preceding 2 minutes
- Flag requests with identical
fsNickparameter repeated >20 times within 300 seconds
Mitigation & Remediation Steps
Immediate Workarounds (defense-in-depth):
- Implement IP-based rate-limiting on the
/loginendpoint (max 10 requests/minute/IP for 2FA validation) - Deploy Web Application Firewall (WAF) rules to block suspicious 2FA validation patterns
- Enable verbose authentication logging and alert on anomalies
- Require HTTPS-only with pinned certificates to prevent MITM augmentation
Patches Required:
- Add
$this->validateFormToken()call at the start oftwoFactorValidationAction() - Implement
userHasManyIncidents()check before processing the request, not after failure - Verify password was successfully authenticated in the current session before accepting TOTP
- Reduce
TwoFactorManager::VERIFICATION_WINDOWfrom 8 to 1 (industry standard) - Add exponential backoff or temporary account lockout after 5 failed TOTP attempts
Configuration Hardening:
- Force 2FA enforcement only for high-privilege accounts as interim measure
- Disable 2FA temporarily if patch unavailable and implement compensating controls
- Monitor for mass 2FA validation failures across multiple accounts (potential ongoing attack)
Risk Assessment
This vulnerability presents extreme operational risk in production environments. The attack requires no special tools, no prior compromise, and can be automated trivially. Threat actors specializing in credential harvesting, account takeover (ATO), and insider threat scenarios will prioritize exploitation immediately upon disclosure. Organizations running unpatched FacturaScripts instances with 2FA-enabled users face near-certain compromise if exposed to the internet. The 40-second-per-account exploitation window means an attacker can compromise dozens of accounts in a single incident without alerting security teams. Likelihood of wild exploitation is very high given the simplicity, reliability, and impact. Immediate patching is non-optional.
Sources