Authentication Bypass by Primary Weakness in helloxz/onenav


Reported on

Feb 14th 2022


During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code. is vulnerable to this as shown below:

Proof of concept

Vuln variable: if( ($user == $username) && ($pass == $password) ) {

    $user = $_POST['user'];
    $pass = $_POST['password'];
    header('Content-Type:application/json; charset=utf-8');
    if( ($user == $username) && ($pass == $password) ) {
        $key = md5($username.$password.'onenav');


In data/config.php change password line to


Now perform login in http://localhost/index.php?c=login Insert xiaoz as the username and in password insert another string that evaluates to 0 , for example:


Observe the login is sucessful


This vulnerability is capable of authentication bypass via magic hash attack


We are processing your report and will contact the helloxz/onenav team within 24 hours. a year ago
We have contacted a member of the helloxz/onenav team and are waiting to hear back a year ago
helloxz validated this vulnerability a year ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
helloxz marked this as fixed in Unissued with commit cbd6aa a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
login.php#L14 has been validated
login.php#L21-L25 has been validated
to join this conversation