Skip to content

Should use === for hashing instead of ==

Moderate
mesosoi published GHSA-w4wq-7j4q-j2fh Aug 30, 2022

Package

accounts.php (SilverwareGames.io)

Affected versions

1.1.8

Patched versions

1.1.9

Description

Due to an unobvious feature of PHP, hashes generated by built-in functions and starting with the "0e" symbols are being handled as zero multiplied with the e number. Therefore, the value is equal to 0.

This vulnerability has no really big chances of reproduction, since the violator should spend some time to find this and find the victim, and the victim should be "lucky" enough so their password hash will start with "0e".

To fix this, I should use === instead of == in comparisons where it is possible (e.g. on sign in/sign up handlers).

Severity

Moderate

CVE ID

CVE-2022-36072

Weaknesses