Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix type juggling vulnerability
PHP evaluates `!=` a bit loose on the type. So "0000" == "0e5678" is
true in PHP. An attacker could send a zeroed cookie_hash `"0"*32` and
only need an collision with a calculated hash beginning with `0e`
followed by only numbers.

In our tests (with auth.secret set to `stable`) a valid cookie is
`cmkadmin:58191275:00000000000000000000000000000000`.

For a remote attacker this would have needed 58,191,275 guesses.
  • Loading branch information
Maximilian Wirtz authored and LarsMichelsen committed Aug 29, 2022
1 parent 7d60f92 commit 7574fd8
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions share/server/core/classes/CoreLogonMultisite.php
Expand Up @@ -114,12 +114,10 @@ private function checkAuthCookie($cookieName) {
$hash = $this->generateHash($username, $sessionId, (string) $user_secret);

// Validate the hash
if ($cookieHash != $hash) {
if ($cookieHash !== $hash) {
throw new Exception();
}

// FIXME: Maybe renew the cookie here too

return $username;
}

Expand Down

0 comments on commit 7574fd8

Please sign in to comment.