Type Confusion in lirantal/daloradius

Valid

Reported on

Jan 4th 2022


Description

During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code.
https://github.com/lirantal/daloradius/ is vulnerable to Use of Wrong Operator in String Comparison as shown below:

Proof of concept

Vuln variable: $newpassword = $_POST['newpassword'] $verifypassword = $_POST['verifypassword']
Snippet:

        $newPassword = $_POST['newpassword'];
        $verifyPassword = $_POST['verifypassword'];
        if ($newPassword == $verifyPassword) {

Payload

Set the first variable to
0e12345 and set the second value to
0e54321 Observe the comparision returns true.

Impact

This vulnerability is capable of authentication bypass via magic hash attack

References

https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/
https://www.php.net/manual/en/language.operators.comparison.php

We are processing your report and will contact the lirantal/daloradius team within 24 hours. 5 months ago
We have contacted a member of the lirantal/daloradius team and are waiting to hear back 5 months ago
We have sent a follow up to the lirantal/daloradius team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the lirantal/daloradius team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the lirantal/daloradius team. This report is now considered stale. 4 months ago
Liran Tal validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Liran Tal
2 months ago

Maintainer


Thanks for disclosing this hitisec. This is a valid report, however the actual impact of this vulnerability doesn't seem to be existing at all since this is a password change for an existing user, right? As such, what sort of authentication is being bypassed?

Liran Tal
2 months ago

Maintainer


I applied a fix here: https://github.com/lirantal/daloradius/commit/e8ec1beaab87f37260d055204b39b123bcef658b

Liran Tal confirmed that a fix has been merged on e8ec1b 2 months ago
Liran Tal has been awarded the fix bounty
to join this conversation