Use of Wrong Operator in String Comparison in hestiacp/hestiacp

Valid
Reported on Sep 10th 2021

✍️ Description

$_SESSION["token"] is a csrf token which is a md5 hash generated based on system time.

It has been discovered that $_SESSION["token"] compares with $_GET["token"] using comparison operator != in file index.php. This might cause unexpected behavior due to type juggling.

It is possible to bypass the CSRF token by using magic hash attack, and leveraged to perform CSRF attack.

Remediation

Use !== instead.

We have contacted a member of the hestiacp team and are waiting to hear back 6 days ago
We have contacted a member of the hestiacp team and are waiting to hear back 6 days ago
Viky submitted a
6 days ago
Viky submitted a
6 days ago
Jaap Marcus validated this vulnerability 6 days ago
Viky has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Jaap Marcus
6 days ago

Maintainer


Patch is not complete there are more files affected. I will go over all files and fix the issues if you don't mind.

Jaap Marcus confirmed that a fix has been merged on fc68ba 5 days ago
Jaap Marcus has been awarded the fix bounty
$6.25
Viky
13 hours ago

Researcher


@admin can I have a cve?

Jamie Slome
9 hours ago

Admin


CVE published! 🎊

CVE-2021-3797

Jaap Marcus
8 hours ago

Maintainer


@admins

I think a CVE is a bit over done:

  1. Token is not generated by MD5 but

https://github.com/hestiacp/hestiacp/blob/ba84b5ad93dc5f33894931d7a7350684a85e7acf/web/inc/main.php#L87-L93

So in the rare cases where $_SESSION['token'] is empty what should never happen or in the rare cases where the generated session token would generate a valid number.

With a 16 char length random string the chances would be very small.

I do agree the suggested improvements are correct and valid but practical use it would be almost impossible to abuse it.

Jamie Slome
7 hours ago

Admin


Hello Jaap, 👋

We published the CVE as you indicated that this was a valid security issue and agreed with the contents of the report (CVSS etc.).

In the future, if this is not the case, please let us or the researcher aware by invalidating the report.

-- Jamie