Package Instance

Cross-Site Request Forgery (CSRF)
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the malicious user, this would simply trigger email spam to an administrative user, or generate a single auto-deployment token unexpectedly. This token is not revealed to the malicious user, it is simply created unexpectedly in the system. This has been addressed in release `1.6.6`. Users may optionally manually apply the fixes released in v1.6.6 to patch their own systems.

Cross-Site Request Forgery (CSRF)
Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go.This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed

Pterodactyl vulnerable to 2FA Sniffing
**Pterodactyl version 0.7.13 and lower - 2FA Sniffing**

Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

### Impact
Users who have enabled 2FA protections on their account can unintentionally have their account's existence sniffed by malicious users who enter random credentials into the login fields.

A logical mistake was made when the original code was written that would wait to verify the user's password until they had provided 2FA credentials if it was enabled on their account. However, because of this you could enter a bad password for a known email and determine if the account exists if you got redirected to a 2FA page.

### For more information
If you have any questions or comments about this advisory please react out on Discord or email dane@[project name].io.

Insufficient Session Expiration in Pterodactyl API
### Impact
A vulnerability exists in Pterodactyl Panel `<= 1.6.6` that could allow a malicious attacker that compromises an API key to generate an authenticated user session that is not revoked when the API key is deleted, thus allowing the malicious user to remain logged in as the user the key belonged to.

It is important to note that **a malicious user must first compromise an existing API key for a user to exploit this issue**. It cannot be exploited by chance, and requires a coordinated attack against an individual account using a known API key.

### Patches
This issue has been addressed in the `v1.7.0` release of Pterodactyl Panel.

### Workarounds
Those not wishing to upgrade may apply the change below:

```diff
diff --git a/app/Http/Middleware/Api/AuthenticateKey.php b/app/Http/Middleware/Api/AuthenticateKey.php
index eb25dac6..857bfab2 100644
--- a/app/Http/Middleware/Api/AuthenticateKey.php
+++ b/app/Http/Middleware/Api/AuthenticateKey.php
@@ -70,7 +70,7 @@ class AuthenticateKey
         } else {
             $model = $this->authenticateApiKey($request->bearerToken(), $keyType);

-            $this->auth->guard()->loginUsingId($model->user_id);
+            $this->auth->guard()->onceUsingId($model->user_id);
         }
```

### For more information
If you have any questions or comments about this advisory please reach out to `Tactical Fish#8008` on [Discord](https://discord.gg/pterodactyl) or email `dane@pterodactyl.io`.