Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix type juggling vulnerability
PHP evaluates `!=` a bit loose on the type. So "0000" == "0e5678" is true in PHP. An attacker could send a zeroed cookie_hash `"0"*32` and only need an collision with a calculated hash beginning with `0e` followed by only numbers. In our tests (with auth.secret set to `stable`) a valid cookie is `cmkadmin:58191275:00000000000000000000000000000000`. For a remote attacker this would have needed 58,191,275 guesses.
- Loading branch information