Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authentication bypass #673

jvoisin opened this issue Mar 11, 2017 · 3 comments

Authentication bypass #673

jvoisin opened this issue Mar 11, 2017 · 3 comments


Copy link

@jvoisin jvoisin commented Mar 11, 2017

The file PDOBasicAuth is vulnerable to an authentication bypass in the validateUserPass function:

    function validateUserPass($username, $password) {

        $stmt = $this->pdo->prepare('SELECT username, digesta1 FROM ' . $this->tableName . ' WHERE username = ?');
        $result = $stmt->fetchAll();

        if (!count($result)) return false;

        $hash = md5($username . ':' . $this->authRealm . ':' . $password);
        if ($result[0]['digesta1'] == $hash)
            $this->currentUser = $username;
            return true;
        return false;


Using the == operator make the authentication test vulnerable to type juggling: if the expected hash ($result[0]['digesta1']) starts with 0e, it will match against any hash that also starts with 0e`.

A way to fix this would be to use the === operator instead.

Copy link

@chrisdecker1201 chrisdecker1201 commented Apr 5, 2017

If that's the case, I think the maintainer of this tool are happy about a pull request from you 😄

deflomu added a commit to deflomu/Baikal that referenced this issue Apr 28, 2017
Copy link

@DanielRuf DanielRuf commented Aug 4, 2017

Still md5? =(

Copy link

@ByteHamster ByteHamster commented Apr 26, 2019

The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on 0.5.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants