Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential risk of authentication bypass through magic hash and loose comparison #1121

Open
peng-hui opened this issue May 21, 2020 · 3 comments

Comments

@peng-hui
Copy link

peng-hui commented May 21, 2020

Codiad/componetns/user/class.user.php:Authenticate() is potentially vulnerable to the magic hash problem, and the authentication can be bypassed in the loose comparison (==)

If the encrypted hash value for the passwords forms certain formats of magic hash, e.g, 0e123…, it can be bypassed. For example, if the server-side stored password hash is a magic hash, then another user can also try a magic hash password to authenticate.
It can be avoided by using a strict comparison “===“.

More info about magic hash can be found here

@HLSiira
Copy link

HLSiira commented May 22, 2020

If you don't mind me asking, Is this taken care of by using PHP Password Verify function such as in the user class of Atheos, a fork of Codiad?

@peng-hui
Copy link
Author

peng-hui commented May 22, 2020

If you don't mind me asking, Is this taken care of by using PHP Password Verify function such as in the user class of Atheos, a fork of Codiad?

In your case, I think the password_verify function does not have this kind of problem. Your password encryption function is PHP built-in function password_hash, which generates hash values starting with $, and this sanitizes it from this kind of bugs.

@HLSiira
Copy link

HLSiira commented May 22, 2020

You are a hero; thank you. When I saw that Codiad had a vulnerability, I got worried that Atheos had it as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants