Use of Wrong Operator in String Comparison in yeswiki/yeswiki


Reported on

Oct 5th 2021


During the comparisons of different variables, PHP will automatically convert the data into a common, comparable type. This makes it possible to compare the number 12 to the string '12' or check whether or not a string is empty by using a comparison like $string == True. This, however, leads to a variety of problems and might even cause security vulnerabilities.The use == and != of might cause type juggling at the affected code. is vulnerable to Use of Wrong Operator in String Comparison as shown below:

Proof of concept

Vuln variable: $_POST["password"]

// cas de l'identification
if ($_REQUEST["action"] == "login") {
    // si l'utilisateur existe, on vérifie son mot de passe
    if (isset($_POST["name"]) && $_POST["name"] != '' && $existingUser = $this->LoadUser($_POST["name"])) {
        // si le mot de passe est bon, on créée le cookie et on redirige sur la bonne page
        if ($existingUser["password"] == md5($_POST["password"])) {
            $this->SetUser($existingUser, $_POST["remember"]);

    public function checkPassword($pwd, $newUser = '')
        if (empty($newUser) && $this->properties['password'] != md5($pwd)) {
                } else {
            return true;

Due to type juggling vulnerability , the authentication can be bypassed when the md5 hash of two strings contains only numbers.


To comprobe the vulnerability, install a new instance of yeswiki and set the password to, or change the existing password installation (http://localhost/yeswiki-doryphore/?ParametresUtilisateur) to:


Now go to http://localhost/yeswiki-doryphore/?HomePage and clic login in the upper right corner menu:
Enter a valid username and in the password field insert:


Observe the auth is sucessful.
This is due to the type juggling and magic hash vulnerability. Other valid password to bypass the auth process are:



This vulnerability is capable of authentication bypass via magic hash attack


Proof of concept

Vuln variable: $_POST['admin_password']

        $admin_password = $_POST['admin_password'];
        $admin_password_conf = $_POST['admin_password_conf'];
            $admin_password == $admin_password_conf,


Go to the install step of yeswiki, in the first password field under Administrator account insert


In the password confirmation field insert:


Observe that these are two different passwords, but yeswiki allows to continue the installation.

We have contacted a member of the yeswiki team and are waiting to hear back a year ago
Jérémy Dufraisse validated this vulnerability a year ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse marked this as fixed with commit f6b965 a year ago
Jérémy Dufraisse has been awarded the fix bounty
This vulnerability will not receive a CVE
login.php#L121-L122 has been validated
install.php#L103 has been validated
User.class.php#L376-L383 has been validated
to join this conversation