Insufficient Documentation of Error Handling Techniques in hascheksolutions/pictshare

Valid

Reported on

Jun 11th 2021


BUG

sha1 comparision bypass

DETAILS

There is vulnerable code which can bypass file sha1 hash checking bypass

function sha1Exists($sha1)
{
    $handle = fopen(ROOT.DS.'data'.DS.'sha1.csv', "r");
    if ($handle) {
        while (($line = fgets($handle)) !== false) {
            if(substr($line,0,40)==$sha1) return trim(substr($line,41)); //vulnerable code
        }

        fclose($handle);
    }
    return false;
}

Here if(substr($line,0,40)==$sha1) its checking with == operator which can be bypassed if hash started with 0e2342344.....

Suppose hash present in file is 0e562342333443434334344344343443434 .
Now it could be bypassed with 0e111111111111111111111111111111111 as there is checking with == operator instead of === .

you can reproduce this behaviour with bellow code

<?php
function sha1Exists($sha1)
{
    $handle = fopen('hash.txt', "r");  //create a file hash.txt and put 0e567675675 as content
    if ($handle) {
        while (($line = fgets($handle)) !== false) {
            if(substr($line,0,4)==$sha1) return trim(substr($line,4));
        }

        fclose($handle);
    }
    return false;
}

echo sha1Exists("0e453453");
echo "\n";

?>

STUDY

https://www.whitehatsec.com/blog/magic-hashes/

SUGGESTED FIX

add === operator for comparison instead of == .

ranjit-git submitted a
a year ago
Christian Haschek validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
ranjit-git
a year ago

Researcher


hi christian , PR has been created https://github.com/HaschekSolutions/pictshare/pull/128

Christian Haschek confirmed that a fix has been merged on 199f16 a year ago
ranjit-git has been awarded the fix bounty
to join this conversation