multiOTP HOTP implementation check can be run unauthenticated

[robvh1]

Using multiOTP 5.9.9.1 (2025-01-20), running with PHP version 8.3.15 on Windows

During a security scan we ran into an issue with the webservice for the windows installation (might be on other platforms as well, but have not tested)

Whenever the scanner hits an URL that starts with /check it will trigger the 'multiOTP HOTP implementation check'
This page check.multiotp.class.php does a total of 67 checks and does make changes to the configuration of your MultiOTP implementation
(it creates 5 accounts, 18 tokens and also changes the AD Sync group (among a few of other things))

Seems to be caused by a line inserted by 'webservice_install.cmd' which adds following to the .\webservice\conf\sites-enabled\multiotp.conf

location /check { root "C:/multiotp"; try_files $uri $uri/ /check.multiotp.class.php$is_args$args; }

I suppose this is for initial testing and debugging, but should not be in there after configuration (as you can call it without credentials)

Also please consider removing this line just above from the config which causes the server to react on any URI
try_files $uri $uri/ /multiotp.server.php;
and change
location / { try_files $uri $uri/ /multiotp.server.php; }
to
location /$ { try_files $uri $uri/ /multiotp.server.php; }

[multiOTP]

Hello,
Thanks for your feedback, modifications will be implemented in the next release. We agree that some people would just use the published code in production environment without any changes, and they will now have to uncomment a specific line if they want to use the check URI.
Regards,