-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorization bypass in Authorization.php #11
Comments
This is the line you are talking about, |
@Dygear Yes. E.g. just set $password in your config to '0e1'. You should be able to login with just '0' as password. |
@raymontag did you request CVE identifier for this vulnerability (https://cveform.mitre.org/)? |
@fgeek Not yet, will do this evening. |
@raymontag thank you. Site https://www.phpliteadmin.org/ seems to list https://bitbucket.org/phpliteadmin/public/issues as official issue tracker. Can you report this there so that upstream developers are aware? If you need any help just contact me via henri@nerv.fi |
I just fixed this. At 2 more places, I exchanged The development version download, the bitbucket and github repos should contain the fix. Stable version is affected I guess. I will check if all versions are affected and prepare a security alert post. I guess it is a good time to release a new stable version soon, after such a long time. Please confirm that this solves your concern. |
@crazy4chrissi nice. much appreciated :) |
@crazy4chrissi It does fix it, indeed. Thank you for your fast reply :) And yes, for the hash comparison it's much more unprobable from my view. There are cases where this can be a problem with hashes nevertheless. If you are interested in this, have a quick glance at the presentation by Gregor: http://gregorkopf.de/slides_berlinsides_2010.pdf |
@crazy4chrissi One addition: From my research stable versions1.9.5 to 1.9.7.1 are affected. |
41545fe#diff-40de8edc3e821c8cb567cbc0b253e6cbL40 is actually exploitable regardless of what the admin password is, by just iterating through random salts until an md5 happens to match curl http://localhost:4444/ -b "pla3412_1_9_7_1=0; pla3412_1_9_7_1_salt=T1YSLHj7R;" will log you in because |
FTR: CVE-2018-10362 was assigned for this. Edit: Sorry, didn't saw that @carnil mentioned it. |
@wbowling You are right, thanks for the addition! |
You should really be using a constant time function to compare strings like this, whether they are raw passwords or hashes: https://secure.php.net/manual/en/function.hash-equals.php EDIT: I realise now that you support older versions of PHP. I highly recommend use of this polyfill library to get access to |
@MichaelGooden Yeah, I thought we already did, but now realize this was only for the csrf token check. Agreed we should use @wbowling What you mean is that this is exploitable before the changes made in 41545fe, right? Just to make sure I don't miss something else you found. |
@crazy4chrissi @MichaelGooden I don't think that timing attacks are a realistic scenario against '==='. This doesn't even work on localhost without magic. Maybe with some crazy math skills in statistics... |
Or just with simple statistical analysis: https://blog.ircmaxell.com/2014/11/its-all-about-time.html |
Please comment on the latest commit. |
@crazy4chrissi yes before the changes, it's fixed in 41545fe |
@MichaelGooden Thx for the link :) |
@raymontag @wbowling @MichaelGooden |
My personal opinion is to drop older PHP versions. |
@crazy4chrissi @MichaelGooden From my point of view timing attacks are still not an issue. Just taking the average is not enough for sure. I talked to some experienced exploit developers and they support my oppinion. However, you can go this way, it will not make it worse probably :) Regarding your changes in general, it seems fine for me. Maybe @wbowling sees something I missed? Regarding what function to use, I don't have strong oppinions. |
Nothing else from me |
@MichaelGooden For most projects I would agree to drop support for anything that receives no security updates anymore. But
And we want to keep things small, so I don't want to add too much fallback-code for old php-versions. If possible, let's just do it the old way ;) |
All valid points, let me get off my soapbox and comment on the actual code ;) The only thing I can see is to be aware that on PHP versions prior to 5.3.7 this will be vulnerable to the BCRYPT implementation issue. EDIT: May be worth mentioning that your /**
* Count the number of bytes in a string
*
* We cannot simply use strlen() for this, because it might be overwritten by the mbstring extension.
* In this case, strlen() will count the number of *characters* based on the internal encoding. A
* sequence of bytes might be regarded as a single multibyte character.
*/
function _strlen($binary_string) {
if (function_exists('mb_strlen')) {
return mb_strlen($binary_string, '8bit');
}
return strlen($binary_string);
} |
Fixed in phpLiteAdmin 1.9.8 released today. |
@ crazy4chrissi Thank you for your work towards more secure open-source software! |
@crazy4chrissi What's your email address? |
The attemptGrant function of the Authorization class uses '==' comparison instead of '===' comparison. This can lead to a problem if the password is a number written in scientific notation. E.g.:
You should use === even if this is just a problem with a small impact.
The text was updated successfully, but these errors were encountered: