Use of Wrong Operator in String Comparison in opensourcepos/opensourcepos

Valid

Reported on

Sep 30th 2021

Description

The use == and != of might cause type juggling at the affected code if $row->hash_version == 1.

Proof of Concept

If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row->password == md5($password)

Impact

This vulnerability is capable of authentication bypass via magic hash attack

Occurrences

Employee.php L335

References

https://www.php.net/manual/en/language.operators.comparison.php

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago

jekkos validated this vulnerability 2 years ago

Viky has been awarded the disclosure bounty

The fix bounty is now up for grabs

jekkos

commented 2 years ago

Maintainer

This vulnerability only affects users that are on an old password hashing scheme, which was replaced a couple of years ago. So basically it won't affect new installations.

jekkos marked this as fixed with commit f1672d 2 years ago

jekkos has been awarded the fix bounty

This vulnerability will not receive a CVE

Employee.php#L335 has been validated

to join this conversation