annikav9 / carrotsh Goto Github PK

Severity: Low (At the moment)

The Issue

The TOTP secret key generated by the server is stored as plaintext in login/2fa_key. While it is unlikely anyone who doesn't have access to the server can retrieve this key, this may change when new bugs or vulnerabilities surface in future updates.

commands/csh_setup_2fa.py#L16-L19

Patch Status

This issue has not been patched yet.

• Symmetric/Asymmetric encryption with key file(s) is pointless, since the encryption key needs to be stored in the same server, and will face the same issue as the plaintext 2fa secret key.
• Encrypting the 2fa key with the user password as the encryption passphrase is also not feasible, as the whole point of having an otp system is to keep the server secure even if the password is compromised.

A method to save the key in the operating system's keyring/keychain/secret-service is being worked on at the moment.

Workarounds

• Ensure that only trusted user accounts can access the carrotsh directory in your server.
• Ensure that no other webserver/fileserver is exposing the carrotsh directory to the internet.

If you do have a proper solution, feel free to make a pull request which references this issue