Use of Wrong Operator in String Comparison in erikdubbelboer/phpredisadmin

Valid

Reported on

Oct 5th 2021


Description

$response is a salted md5 hash generated based on the concatenated hashed of credentials with other parameters.

It has been discovered that $response compares with $data['response'] using comparison operator != in file login.inc.php. This might cause unexpected behavior due to type juggling.

It is possible to reduce the strength of the hash by using magic hash attack, and leveraged to bypass authentication.

Impact

This vulnerability is capable of authentication bypass

Remidation

Use !== instead

We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 2 months ago
Erik Dubbelboer validated this vulnerability 2 months ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
Erik Dubbelboer confirmed that a fix has been merged on 31aa76 2 months ago
The fix bounty has been dropped
login.inc.php#L59 has been validated