Use of Wrong Operator in String Comparison in flatcore/flatcore-cms


Reported on

Oct 14th 2021


Use of incorrect operator == and != for page_psw

Proof of Concept

If my actual page password is 240610708 then an attacker can key in QLTHNDT because:

md5(240610708) = 0e462097431906509019562988736854

md5(QLTHNDT) = 0e405967825401955372549139051580

And PHP will evaluate '0e462097431906509019562988736854' == '0e405967825401955372549139051580' as true. This is because == does not enforce strict type checking. Hence the above will be treated as integers, since 0e... is essentially 0. The above is essentially evaluating if 0==0 which is true

List of possible passwords:


This vulnerability is capable of bypassing the need for correct page passwords if the password starts with 0e...

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
haxatron submitted a
2 years ago
2 years ago


See my fix commit at

Patrick validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


Do you do a Pull request at GitHub? Or, how can I confirm this fix?

2 years ago


You can merge my fix commit

Patrick marked this as fixed with commit 82788d 2 years ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation