Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy

Valid

Reported on

Oct 5th 2021


Description

MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity of data in security-critical contexts.

Proof of Concept

<?php

namespace Tests\Feature;

use App\Models\AdditionalUsername; use App\Models\DeletedUsername; use App\Models\Recipient; use App\Models\User; use Illuminate\Auth\Notifications\VerifyEmail; use Illuminate\Foundation\Testing\RefreshDatabase; use Illuminate\Support\Carbon; use Illuminate\Support\Facades\Config; use Illuminate\Support\Facades\Notification; use Illuminate\Support\Facades\URL; use Tests\TestCase;

class RegistrationTest extends TestCase { use RefreshDatabase;

/** @test */
public function user_can_register_successfully()
{
    Notification::fake();

    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response
        ->assertRedirect('/')
        ->assertSessionHasNoErrors();

    $this->assertDatabaseHas('users', [
        'username' => 'johndoe'
    ]);

    $user = User::where('username', 'johndoe')->first();

    Notification::assertSentTo(
        $user,
        VerifyEmail::class
    );
}

/** @test */
public function user_cannot_register_with_invalid_characters()
{
    $response = $this->post('/register', [
        'username' => 'Ω',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'Ω'
    ]);
}

/** @test */
public function user_can_verify_email_successfully()
{
    $user = User::factory()->create();
    $user->email_verified_at = null;
    $user->save();

    $this->assertNull($user->refresh()->email_verified_at);

    $verificationUrl = URL::temporarySignedRoute(
        'verification.verify',
        Carbon::now()->addMinutes(Config::get('auth.verification.expire', 60)),
        [
            'id' => $user->getKey(),
            'hash' => sha1($user->getEmailForVerification()),
        ]
    );

    $response = $this->actingAs($user)->get($verificationUrl);

    $response
        ->assertRedirect('/')
        ->assertSessionHas('verified');

    $this->assertNotNull($user->refresh()->email_verified_at);
}

/** @test */
public function user_must_use_valid_username()
{
    $response = $this->post('/register', [
        'username' => 'john_doe',
        'email' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'john_doe'
    ]);
}

/** @test */
public function user_must_confirm_email()
{
    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['email']);

    $this->assertDatabaseMissing('users', [
        'username' => 'johndoe'
    ]);
}

/** @test */
public function user_cannot_register_with_existing_email()
{
    $user = User::factory()->create(['username' => 'johndoe']);

    Recipient::factory()->create([
        'user_id' => $user->id,
        'email' => 'johndoe@example.com'
    ]);

    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['email']);
}

/** @test */
public function user_cannot_register_with_existing_username()
{
    User::factory()->create(['username' => 'johndoe']);

    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);
}

/** @test */
public function user_cannot_register_with_existing_additional_username()
{
    AdditionalUsername::factory()->create(['username' => 'johndoe']);

    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);
}

/** @test */
public function user_cannot_register_with_blacklisted_username()
{
    $response = $this->post('/register', [
        'username' => 'www',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'www'
    ]);
}

/** @test */
public function user_cannot_register_with_uppercase_blacklisted_username()
{
    $response = $this->post('/register', [
        'username' => 'Www',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'www'
    ]);
}

/** @test */
public function user_cannot_register_with_deleted_username()
{
    DeletedUsername::create(['username' => 'johndoe']);

    $response = $this->post('/register', [
        'username' => 'johndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'johndoe'
    ]);
}

/** @test */
public function user_cannot_register_with_uppercase_deleted_username()
{
    DeletedUsername::create(['username' => 'johndoe']);

    $response = $this->post('/register', [
        'username' => 'joHndoe',
        'email' => 'johndoe@example.com',
        'email_confirmation' => 'johndoe@example.com',
        'password' => 'mypassword',
        'terms' => true,
    ]);

    $response->assertSessionHasErrors(['username']);

    $this->assertDatabaseMissing('users', [
        'username' => 'johndoe'
    ]);
}

}

Impact

Weak cryptographic hashes cannot guarantee data integrity and should not be used in security-critical contexts.

We have contacted a member of the anonaddy team and are waiting to hear back a year ago
anonaddy/anonaddy maintainer
a year ago

Hi there,

Thanks for the report!

This same code is also used in Laravel's official repository - https://github.com/laravel/framework/blob/8.x/src/Illuminate/Auth/Notifications/VerifyEmail.php#L88

Since the sha1 hash algorithm is not being used for passwords but simply for a private temporary signed URL (that is only sent to the user), I do not think this is a security issue.

Devendra Bhatla
a year ago

Researcher


Hi buddy Thanks for reaching out. Use of SHA1 itself a security issue and it is vulnerable to hash collisions and other attacks.

Check the below link: https://www.computerworld.com/article/3173616/the-sha1-hash-function-is-now-completely-unsafe.html

Upgrading from SHA1 to SHA256 wont be a big challenge.

anonaddy/anonaddy maintainer
a year ago

I've just pushed a new release that updates the hashing algorithm from SHA1 to Bcrypt - https://github.com/anonaddy/anonaddy/releases/tag/v0.8.5

Thanks again.

Devendra Bhatla
a year ago

Researcher


Hey Buddy,

Thanks for patching this. Cheers !

Devendra Bhatla
a year ago

Researcher


Hey buddy, Can you please change the status of this report to fixed and it will be great if you can award me some disclosure bounty :) @Ziding Zhang can you please help us out in this :)

anonaddy/anonaddy maintainer validated this vulnerability a year ago
Devendra Bhatla has been awarded the disclosure bounty
The fix bounty is now up for grabs
anonaddy/anonaddy maintainer marked this as fixed with commit dd0ea0 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
RegistrationTest.php#L82 has been validated
Devendra Bhatla
a year ago

Researcher


It would be great if you can assign a CVE-ID for this. Cheers :)

Devendra Bhatla
a year ago

Researcher


Hi @maintainer Please confirm if we can start the process for the CVE ID.

to join this conversation