Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass authentication through loose comparison #668

Closed
peng-hui opened this issue May 26, 2020 · 2 comments
Closed

Bypass authentication through loose comparison #668

peng-hui opened this issue May 26, 2020 · 2 comments

Comments

@peng-hui
Copy link

[lists/index.php:145]

phplist3/public_html/lists/index.php

Line 145 in d0a0107

$encP == $userpassword && $_POST['email'] == $emailcheck;
has the potential of authentication bypass problem through loose comparison. (==).

Here is another [example].

phplist3/public_html/lists/index.php

Line 148 in d0a0107

$canlogin = $_POST['password'] == $userpassword && $_POST['email'] == $emailcheck;

A similar CVE can be found CVE-2020-8547 and here

In addition, in

phplist3/public_html/lists/admin/subscribelib2.php

Line 143 in d0a0107

if (empty($_POST['password']) || $_POST['password'] != $_POST['password_check']) {

It also uses a loose comparison. The functionality might not perform correctly for the password rechecking in the magic strings cases. For example, "0e11" and "0e22" shall be equal under loose comparison, but actually they are not.
@suelaP
Copy link
Member

suelaP commented May 26, 2020

Hi @peng-hui ,
Thanks for the report, would you be willing to submit a pull request with the fix?

@michield
Copy link
Member

Resolved with def1cee

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michield @suelaP @peng-hui