CVE-2024-49762: 
PHP vulnerability analysis and mitigation

Pterodactyl, a free and open-source game server management panel, was found to have a vulnerability related to password exposure during two-factor authentication (2FA) disabling process. When a user disables 2FA via the Panel, their current password is sent as a query parameter in a DELETE request. Although these parameters are encrypted during TLS transmission, many webservers (including those officially documented for Pterodactyl use) log query parameters in plain text, potentially exposing user passwords. This vulnerability was discovered and disclosed on October 24, 2024, affecting versions prior to 1.11.8 (GitHub Advisory).

The vulnerability is classified as CWE-313 (Cleartext Storage in a File or on Disk) with a CVSS v3.1 score of 4.6 (Medium). The issue stems from the implementation of the 2FA disable functionality where the password is transmitted as a query parameter in a DELETE request. While the transmission itself is secure via TLS, the vulnerability arises from the webserver's logging behavior, which stores these query parameters, including passwords, in plain text in access logs (GitHub Advisory).

If a malicious actor gains access to server logs, they could potentially authenticate against user accounts by obtaining the plain text passwords. The attack's success would require the attacker to also discover the associated email address or username. For NGINX installations, the sensitive data would be stored in '/var/log/nginx/pterodactyl.app-access.log' (GitHub Advisory).

The vulnerability has been patched in version 1.11.8. There are no direct workarounds available other than updating to the patched version or manually applying the fix. Users who have ever disabled 2FA should change their passwords and consider re-enabling 2FA. Panel administrators are advised to clear any access logs that may contain sensitive data (GitHub Advisory).