Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication bypass #673

Closed
jvoisin opened this issue Mar 11, 2017 · 3 comments

Comments

Projects
None yet
4 participants
@jvoisin
Copy link

commented Mar 11, 2017

The file PDOBasicAuth is vulnerable to an authentication bypass in the validateUserPass function:

    function validateUserPass($username, $password) {

        $stmt = $this->pdo->prepare('SELECT username, digesta1 FROM ' . $this->tableName . ' WHERE username = ?');
        $stmt->execute([$username]);
        $result = $stmt->fetchAll();


        if (!count($result)) return false;

        $hash = md5($username . ':' . $this->authRealm . ':' . $password);
        if ($result[0]['digesta1'] == $hash)
        {
            $this->currentUser = $username;
            return true;
        }
        return false;

    }

Using the == operator make the authentication test vulnerable to type juggling: if the expected hash ($result[0]['digesta1']) starts with 0e, it will match against any hash that also starts with 0e`.

A way to fix this would be to use the === operator instead.

@chrisdecker1201

This comment has been minimized.

Copy link

commented Apr 5, 2017

If that's the case, I think the maintainer of this tool are happy about a pull request from you 😄

deflomu added a commit to deflomu/Baikal that referenced this issue Apr 28, 2017

@DanielRuf

This comment has been minimized.

Copy link

commented Aug 4, 2017

Still md5? =(

@ByteHamster

This comment has been minimized.

Copy link
Member

commented Apr 26, 2019

The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on 0.5.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.