New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Type Juggling Bypass in Auth Functions #2542
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add to master ASAP
@dgw
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are probably more places where === should be used instead of ==, that aren't security-related, too. This is a good idea.
|
I have a test yourls installation that some bots were able to find and are once in a while injecting some malicious shortened URL into... I applied this patch, but it's still happening. Any ideas? |
|
@skaag most likely something else involved. URL of your test install ? |
This is it (It has just 3 shortened links on it as a test, works fine so far): |
|
@ozh : |
|
Soooooo.... "bots" found and are "injecting" URL ... on your publicly available interface? Hmmkey. |
The auth functions are vulnerable to Type Jugging attacks. Non strict comparisions can be used by an attacker to bypass auth and gain access to the admin page and API.
If PHP decides that both operands looks like numbers, it will convert both an perform numeric comparision. Ex: "0e348324" == "0e99" is true
This commit fixes 4 vulnerabilities:
At last, the time limited token functionality can be abused to gain unauthorised access to the API without any requisite. Again, a type juggling attack is posible, but this time the attacker controls the result of the MD5, so thousands of requests can be made till the resultand hash takes the form of a number. We can bypass the YOURLS_NONCE_LIFE by introducing decimals in the timestamp, making the attack viable.
References:
https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf