Use of Wrong Operator in String Comparison in opensourcepos/opensourcepos

Valid

Reported on

Sep 30th 2021


Description

The use == and != of might cause type juggling at the affected code if $row->hash_version == 1.

Proof of Concept

If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row->password == md5($password)

Impact

This vulnerability is capable of authentication bypass via magic hash attack

We have contacted a member of the opensourcepos team and are waiting to hear back 2 months ago
We have contacted a member of the opensourcepos team and are waiting to hear back 2 months ago
jekkos validated this vulnerability 2 months ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
jekkos
2 months ago

Maintainer


This vulnerability only affects users that are on an old password hashing scheme, which was replaced a couple of years ago. So basically it won't affect new installations.

jekkos confirmed that a fix has been merged on f1672d 2 months ago
jekkos has been awarded the fix bounty
Employee.php#L335 has been validated