Type Confusion in lirantal/daloradius

Valid

Reported on

Jan 4th 2022

Description

During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code.
https://github.com/lirantal/daloradius/ is vulnerable to Use of Wrong Operator in String Comparison as shown below:

Proof of concept

Vuln variable: $newpassword = $_POST['newpassword'] $verifypassword = $_POST['verifypassword']
Snippet:

        $newPassword = $_POST['newpassword'];
        $verifyPassword = $_POST['verifypassword'];
        if ($newPassword == $verifyPassword) {

Payload

Set the first variable to
0e12345 and set the second value to
0e54321 Observe the comparision returns true.

Impact

This vulnerability is capable of authentication bypass via magic hash attack

References

https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/
https://www.php.net/manual/en/language.operators.comparison.php

We are processing your report and will contact the lirantal/daloradius team within 24 hours. a year ago
We have contacted a member of the lirantal/daloradius team and are waiting to hear back a year ago
We have sent a follow up to the lirantal/daloradius team. We will try again in 7 days. a year ago
We have sent a second follow up to the lirantal/daloradius team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the lirantal/daloradius team. This report is now considered stale. a year ago
Liran Tal validated this vulnerability a year ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Liran Tal
a year ago

Maintainer

Thanks for disclosing this hitisec. This is a valid report, however the actual impact of this vulnerability doesn't seem to be existing at all since this is a password change for an existing user, right? As such, what sort of authentication is being bypassed?

Liran Tal
a year ago

Maintainer

I applied a fix here: https://github.com/lirantal/daloradius/commit/e8ec1beaab87f37260d055204b39b123bcef658b

Liran Tal marked this as fixed in Available on the tip of the primary branch with commit e8ec1b a year ago
Liran Tal has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation