Insufficient Documentation of Error Handling Techniques in HaschekSolutions/pictshare

Valid
Reported on Jun 11th 2021

BUG

sha1 comparision bypass

DETAILS

There is vulnerable code which can bypass file sha1 hash checking bypass

function sha1Exists($sha1)
{
    $handle = fopen(ROOT.DS.'data'.DS.'sha1.csv', "r");
    if ($handle) {
        while (($line = fgets($handle)) !== false) {
            if(substr($line,0,40)==$sha1) return trim(substr($line,41)); //vulnerable code
        }

        fclose($handle);
    }
    return false;
}

Here if(substr($line,0,40)==$sha1) its checking with == operator which can be bypassed if hash started with 0e2342344.....

Suppose hash present in file is 0e562342333443434334344344343443434 .
Now it could be bypassed with 0e111111111111111111111111111111111 as there is checking with == operator instead of === .

you can reproduce this behaviour with bellow code

<?php
function sha1Exists($sha1)
{
    $handle = fopen('hash.txt', "r");  //create a file hash.txt and put 0e567675675 as content
    if ($handle) {
        while (($line = fgets($handle)) !== false) {
            if(substr($line,0,4)==$sha1) return trim(substr($line,4));
        }

        fclose($handle);
    }
    return false;
}

echo sha1Exists("0e453453");
echo "\n";

?>

STUDY

https://www.whitehatsec.com/blog/magic-hashes/

SUGGESTED FIX

add === operator for comparison instead of == .