Use of Wrong Operator in String Comparison in flatcore/flatcore-cms

Valid

Reported on

Oct 14th 2021

Description

Use of incorrect operator == and != for page_psw

Proof of Concept

If my actual page password is 240610708 then an attacker can key in QLTHNDT because:

md5(240610708) = 0e462097431906509019562988736854

md5(QLTHNDT) = 0e405967825401955372549139051580

And PHP will evaluate '0e462097431906509019562988736854' == '0e405967825401955372549139051580' as true. This is because == does not enforce strict type checking. Hence the above will be treated as integers, since 0e... is essentially 0. The above is essentially evaluating if 0==0 which is true

List of possible passwords: https://github.com/spaze/hashes/blob/master/md5.md

Impact

This vulnerability is capable of bypassing the need for correct page passwords if the password starts with 0e...

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 2 years ago
haxatron modified the report
2 years ago
haxatron submitted a
patch
2 years ago
haxatron
2 years ago

Researcher

See my fix commit at https://github.com/Haxatron/flatCore-CMS/commit/c24a6cb4d25c5ff0e9912a165710e6870029577e

Patrick validated this vulnerability 2 years ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick
2 years ago

Maintainer

Do you do a Pull request at GitHub? Or, how can I confirm this fix?

haxatron
2 years ago

Researcher

You can merge my fix commit

Patrick marked this as fixed with commit 82788d 2 years ago
haxatron has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation