Authentication Bypass by Primary Weakness in helloxz/onenav

Valid

Reported on

Feb 14th 2022


Description

During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code.
https://github.com/helloxz/onenav is vulnerable to this as shown below:

Proof of concept

Vuln variable: if( ($user == $username) && ($pass == $password) ) {
Snippet:

    $user = $_POST['user'];
    $pass = $_POST['password'];
    header('Content-Type:application/json; charset=utf-8');
    if( ($user == $username) && ($pass == $password) ) {
        $key = md5($username.$password.'onenav');

Payload

In data/config.php change password line to

define('PASSWORD','0e462097431906509019562988736854');

Now perform login in http://localhost/index.php?c=login Insert xiaoz as the username and in password insert another string that evaluates to 0 , for example:

0e830400451993494058024219903391

Observe the login is sucessful

Impact

This vulnerability is capable of authentication bypass via magic hash attack

References

https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/
https://www.php.net/manual/en/language.operators.comparison.php

We are processing your report and will contact the helloxz/onenav team within 24 hours. 3 months ago
We have contacted a member of the helloxz/onenav team and are waiting to hear back 3 months ago
helloxz validated this vulnerability 3 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
helloxz confirmed that a fix has been merged on cbd6aa 3 months ago
The fix bounty has been dropped
login.php#L14 has been validated
login.php#L21-L25 has been validated
to join this conversation