Use of Wrong Operator in String Comparison in flatcore/flatcore-cms

Valid

Reported on

Oct 14th 2021


Description

Use of incorrect operator == and != for page_psw

Proof of Concept

If my actual page password is 240610708 then an attacker can key in QLTHNDT because:

md5(240610708) = 0e462097431906509019562988736854

md5(QLTHNDT) = 0e405967825401955372549139051580

And PHP will evaluate '0e462097431906509019562988736854' == '0e405967825401955372549139051580' as true. This is because == does not enforce strict type checking. Hence the above will be treated as integers, since 0e... is essentially 0. The above is essentially evaluating if 0==0 which is true

List of possible passwords: https://github.com/spaze/hashes/blob/master/md5.md

Impact

This vulnerability is capable of bypassing the need for correct page passwords if the password starts with 0e...

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 13 days ago
haxatron modified their report
13 days ago
haxatron submitted a
13 days ago
haxatron
13 days ago

Researcher


See my fix commit at https://github.com/Haxatron/flatCore-CMS/commit/c24a6cb4d25c5ff0e9912a165710e6870029577e

Patrick validated this vulnerability 13 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Patrick
13 days ago

Do you do a Pull request at GitHub? Or, how can I confirm this fix?

haxatron
13 days ago

Researcher


You can merge my fix commit

Patrick confirmed that a fix has been merged on 82788d 13 days ago
haxatron has been awarded the fix bounty