PT-2026-53177 · Packagist · Spomky-Labs/Otphp

Publicado

2026-06-18

·

Atualizado

2026-06-18

CVSS v4.0

6.9

Média

VetorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Summary

OTPHPFactory::loadFromProvisioningUri() parses an attacker-supplied otpauth:// URI and forwards every query key to OTP::setParameter($key, $value). setParameter() resolves the name with property exists($this, $parameter) and performs a dynamic write $this->{$parameter} = $value (src/OTP.php:196-197). Because the query keys are entirely controlled by whoever produced the URI, a URI can target the internal properties of the OTP object that are not meant to be set from a URI: parameters, issuer, label, issuer included as parameter, and (on TOTP) the readonly clock. This is an instance of object property mass-assignment (CWE-915).

Impact

The Factory is documented as the entry point for third-party provisioning URIs (e.g. QR codes from Microsoft 365 / Google Authenticator). An application that loads such a URI is exposed to:
  • State corruption. A URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&parameters[foo]=bar overwrites the whole internal $parameters array that createFromSecret() primed (period, algorithm, digits, epoch). The resulting object is silently unusable: getProvisioningUri(), getDigits(), at(), verify() then throw ParameterNotFoundException.
  • Uncaught TypeError escaping the documented exception type. A URI such as otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer included as parameter=notabool assigns a string to a typed bool property and raises a TypeError. The try/catch in loadFromProvisioningUri() only wraps Url::fromString(); createOTP() and populateOTP() run outside it, so the TypeError (and Error on the readonly clock) escapes past the documented InvalidProvisioningUriException, breaking callers that catch only the documented type.
  • Label/issuer validation bypass. parameters[label]=hijacked stores a label into the parameters array without running the label validation callback (keyed on label, not parameters). getLabel() and getParameter('label') then disagree — a confused-deputy risk.

Affected component

  • src/OTP.php:187-201setParameter() dynamic property write
  • src/Factory.php:50-55populateParameters() forwarding all query keys

Proof of concept

php
use OTPHPFactory;

// State corruption
$otp = Factory::loadFromProvisioningUri(
  'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&parameters[foo]=bar',
  $clock
);
$otp->getProvisioningUri(); // ParameterNotFoundException: Parameter "period" does not exist

// Uncaught TypeError
Factory::loadFromProvisioningUri(
  'otpauth://totp/Alice?secret=JBSWY3DPEHPK3PXP&issuer included as parameter=notabool',
  $clock
); // TypeError escapes InvalidProvisioningUriException

Remediation

Restrict the keys accepted from a provisioning URI to a known allow-list of public OTP parameters, and never let a URI key resolve to an internal object property via property exists. Route all URI-sourced values through the validated parameter map only.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

GHSA-2JX3-65F3-XR8R

Produtos afetados

Spomky-Labs/Otphp