Use of Wrong Operator in String Comparison in yeswiki/yeswiki

Valid

Reported on

Oct 5th 2021


Description

During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code.
https://github.com/YesWiki/yeswiki/ is vulnerable to Use of Wrong Operator in String Comparison as shown below:

Proof of concept

Vuln variable: $_POST["password"]
Snippet:

// cas de l'identification
if ($_REQUEST["action"] == "login") {
    // si l'utilisateur existe, on vérifie son mot de passe
    if (isset($_POST["name"]) && $_POST["name"] != '' && $existingUser = $this->LoadUser($_POST["name"])) {
        // si le mot de passe est bon, on créée le cookie et on redirige sur la bonne page
        if ($existingUser["password"] == md5($_POST["password"])) {
            $this->SetUser($existingUser, $_POST["remember"]);

...
    public function checkPassword($pwd, $newUser = '')
    {
        if (empty($newUser) && $this->properties['password'] != md5($pwd)) {
        ...
                } else {
            return true;
        }

Due to type juggling vulnerability , the authentication can be bypassed when the md5 hash of two strings contains only numbers.

Payload

To comprobe the vulnerability, install a new instance of yeswiki and set the password to, or change the existing password installation (http://localhost/yeswiki-doryphore/?ParametresUtilisateur) to:

240610708

Now go to http://localhost/yeswiki-doryphore/?HomePage and clic login in the upper right corner menu:
Enter a valid username and in the password field insert:

GZECLQZ

Observe the auth is sucessful.
This is due to the type juggling and magic hash vulnerability. Other valid password to bypass the auth process are:

GEGHBXL
DYAXWCA
aabg7XSs

Impact

This vulnerability is capable of authentication bypass via magic hash attack

Occurences

Proof of concept

Vuln variable: $_POST['admin_password']
Snippet:

        $admin_password = $_POST['admin_password'];
        $admin_password_conf = $_POST['admin_password_conf'];
        ...
        test(
            _t('CHECKING_THE_ADMIN_PASSWORD_CONFIRMATION').' ...',
            $admin_password == $admin_password_conf,
            _t('ADMIN_PASSWORD_ARE_DIFFERENT'),
            1
        );  

Payload

Go to the install step of yeswiki, in the first password field under Administrator account insert

0e12345

In the password confirmation field insert:

0e54321

Observe that these are two different passwords, but yeswiki allows to continue the installation.

We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
Jérémy Dufraisse validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse confirmed that a fix has been merged on f6b965 2 months ago
Jérémy Dufraisse has been awarded the fix bounty
login.php#L121-L122 has been validated
install.php#L103 has been validated
User.class.php#L376-L383 has been validated