Type Confusion in craigk5n/webcalendar

Valid

Reported on

Oct 1st 2021


Description

During the comparisons of different variables, php will automatically convert the data into a common, comparable type. This leads to a variety of problems and might even cause security vulnerabilities.

https://github.com/craigk5n/webcalendar has type juggling vulnerabilities that allows auth bypass as shown below:

Proof of Concept

webcalendar uses md5 to store user provided passwords and stored in a configuration file as follows:

  fwrite( $fd, '<?php' . "\r\n" . 'install_password: ' . md5( $pwd1 )
     . "\r\n?>\r\n" );
  fclose( $fd );

later, it uses this conf file to perform auth checks, under certain circunstaces this checks can be bypassed because type juggling and magic hashes.

Payload: Go to http://localhost/webcalendar-master/install/index.php Enter password:

UEaXPm4IIDp3 

This generates the settings file /var/www/html/webcalendar-master/includes/settings.php with the following content:

<?php
install_password: 0e461721121374870411609769578212
?>

The following block checks for the password, however uses == to verify it. Thus making it vulnerable to Auth bypass using type conversion magic hashes:

  if( md5( $pwd ) == $password ) {
    $_SESSION['validuser'] = $password;
    echo translate( 'Password Accepted' ) . '</title>
    <meta http-equiv="refresh" content="0; index.php" />
  </head>

Now go to: http://localhost/webcalendar-master/install/index.php And enter a different password , for example:

wzXzQTGIx9VU

And observe the login is correct

Impact

This vulnerability is capable of bypassing authentication

We created a GitHub Issue asking the maintainers to create a SECURITY.md 8 months ago
Craig Knudsen validated this vulnerability 7 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Craig Knudsen
7 months ago

Maintainer


There is an open pull request that addresses this issue: https://github.com/craigk5n/webcalendar/pull/250/files It should be merged into master in the next week.

Craig Knudsen
3 months ago

Maintainer


This has been merged into master and boostrap-ui branches.

hitisec
3 months ago

Researcher


Thanks!

hitisec
3 months ago

Researcher


Thanks!

Craig Knudsen
3 months ago

Maintainer


The fix for this was included in the WebCalendar v1.9.0 release.

Craig Knudsen confirmed that a fix has been merged on d7784e 3 months ago
Craig Knudsen has been awarded the fix bounty
index.php#L178-L183 has been validated
to join this conversation