PT-2026-53177 · Packagist · Spomky-Labs/Otphp
Publicado
2026-06-18
·
Atualizado
2026-06-18
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Summary
OTPHPFactory::loadFromProvisioningUri() parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter($key, $value). setParameter() resolves the name with property exists($this, $parameter) and performs a dynamic write $this->{$parameter} = $value (src/OTP.php:196-197). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: parameters, issuer, label, issuer included as parameter, and (on TOTP) the readonly clock. This is an instance of object property mass-assignment (CWE-915).Impact
The
Factory is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:- State corruption. A URI such as
otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP¶meters[foo]=baroverwrites the whole internal$parametersarray thatcreateFromSecret()primed (period,algorithm,digits,epoch). The resulting object is silently unusable:getProvisioningUri(),getDigits(),at(),verify()then throwParameterNotFoundException. - Uncaught TypeError escaping the documented exception type. A URI such as
otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer included as parameter=notaboolassigns a string to a typedboolproperty and raises aTypeError. Thetry/catchinloadFromProvisioningUri()only wrapsUrl::fromString();createOTP()andpopulateOTP()run outside it, so theTypeError(andErroron the readonlyclock) escapes past the documentedInvalidProvisioningUriException, breaking callers that catch only the documented type. - Label/issuer validation bypass.
parameters[label]=hijackedstores a label into the parameters array without running thelabelvalidation callback (keyed onlabel, notparameters).getLabel()andgetParameter('label')then disagree — a confused-deputy risk.
Affected component
src/OTP.php:187-201—setParameter()dynamic property writesrc/Factory.php:50-55—populateParameters()forwarding all query keys
Proof of concept
php
use OTPHPFactory;
// State corruption
$otp = Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP¶meters[foo]=bar',
$clock
);
$otp->getProvisioningUri(); // ParameterNotFoundException: Parameter "period" does not exist
// Uncaught TypeError
Factory::loadFromProvisioningUri(
'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer included as parameter=notabool',
$clock
); // TypeError escapes InvalidProvisioningUriExceptionRemediation
Restrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via
property exists. Route all URI-sourced values through the validated parameter map only.Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Spomky-Labs/Otphp