Use of Wrong Operator in String Comparison in flatcore/flatcore-cms


Reported on

Oct 14th 2021


Use of incorrect operator == and != for page_psw

Proof of Concept

If my actual page password is 240610708 then an attacker can key in QLTHNDT because:

md5(240610708) = 0e462097431906509019562988736854

md5(QLTHNDT) = 0e405967825401955372549139051580

And PHP will evaluate '0e462097431906509019562988736854' == '0e405967825401955372549139051580' as true. This is because == does not enforce strict type checking. Hence the above will be treated as integers, since 0e... is essentially 0. The above is essentially evaluating if 0==0 which is true

List of possible passwords:


This vulnerability is capable of bypassing the need for correct page passwords if the password starts with 0e...

We have contacted a member of the flatcore/flatcore-cms team and are waiting to hear back 13 days ago
haxatron modified their report
13 days ago
haxatron submitted a
13 days ago
13 days ago


See my fix commit at

Patrick validated this vulnerability 13 days ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
13 days ago

Do you do a Pull request at GitHub? Or, how can I confirm this fix?

13 days ago


You can merge my fix commit

Patrick confirmed that a fix has been merged on 82788d 13 days ago
haxatron has been awarded the fix bounty