Use of Wrong Operator in String Comparison in opensourcepos/opensourcepos


Reported on

Sep 30th 2021


The use == and != of might cause type juggling at the affected code if $row->hash_version == 1.

Proof of Concept

If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row->password == md5($password)


This vulnerability is capable of authentication bypass via magic hash attack

We have contacted a member of the opensourcepos team and are waiting to hear back a year ago
jekkos validated this vulnerability a year ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
a year ago


This vulnerability only affects users that are on an old password hashing scheme, which was replaced a couple of years ago. So basically it won't affect new installations.

jekkos confirmed that a fix has been merged on f1672d a year ago
jekkos has been awarded the fix bounty
Employee.php#L335 has been validated
to join this conversation