CVE-2021-41129: 
PHP vulnerability analysis and mitigation

Pterodactyl, an open-source game server management panel built with PHP 7, React, and Go, was affected by CVE-2021-41129. The vulnerability was discovered and disclosed on October 6, 2021. The issue allowed a malicious user to bypass authentication during the two-factor authentication process by manipulating the confirmation_token parameter, potentially allowing authentication as another user in the Panel (GitHub Advisory).

The vulnerability existed in the LoginCheckpointController@__invoke method which handles two-factor authentication. The flaw allowed attackers to modify a confirmation_token parameter, which was expected to be a 64-character random alphanumeric string referencing a cached user_id value. Due to improper validation, any cache element containing only digits could be referenced, potentially allowing access to arbitrary user accounts. The vulnerability received a CVSS v3.1 score of 8.1 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (GitHub Advisory).

While classified as a high-risk login bypass vulnerability, successful exploitation required specific conditions: the targeted account must have two-factor authentication enabled, the attacker needed to provide a valid 2FA token, and the referenced cache key had to remain valid throughout the attack. If successfully exploited, an attacker could authenticate as another user without knowing their email or password (GitHub Advisory).

The vulnerability was patched in version 1.6.2. The fix involved changing the authentication logic to use an encrypted session store instead of user-controlled values. Additionally, the codebase was audited to ensure similar vulnerabilities were not present elsewhere. Users were advised to upgrade to version 1.6.2 (Panel Release).