Summary
A vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP.
Detail
In the latest version of the application, a password comparison is performed using the == operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypass authentication.
if ((isset($_SESSION["login"]) && ($_SESSION["login"] == 1)) || (isset($_COOKIE[$CookieSaveLoginName]) && $nax_Password == $_COOKIE[$CookieSaveLoginName]))
Because of the use of == instead of the strict ===, different strings that begin with 0e and are followed by only digits can be interpreted as scientific notation (i.e., zero) and treated as equal.
PoC
Below is a GitHub reference containing a list of SHA-256 magic hashes used in the proof of concept:
https://github.com/spaze/hashes/blob/master/sha256.md
34250003024812:0e46289032038065916139621039085883773413820991920706299695051332
TyNOQHUS:0e66298694359207596086558843543959518835691168370379069085300385
CGq'v]`1:0e24075800390395003020016330244669256332225005475416462877606139
\}Fr@!-a:0e72388986848908063143227157175161069826054332235509517153370253
|+ydg uahashcat:0e47232208479423947711758529407170319802038822455916807443812134
8W-vW:5ghashcat:0e99625202804787226908207582077273485674961623832383874594371630
mz586Ostt0:0e68778243444544519255778909858576221322537110103676691840647395
Sol7trnk00:0e57289584033733351592613162328254589214408593566331187698889096
NzQEVVCN10:0e92299296652799688472441889499080435414654298793501210067779366
Z664cnsb60:0e51257675595021973950657753067030245565435125968551772003589958
jF7qQUmx70:0e04396813052343573929892122002074460952498169617805703816566529
0e9682187459792981:0e84837923611824342735254600415455016861658967528729588256413411
0e9377421626279222:0e48575090397052833642912654053751294419348146401806328515618635
For instance, even if the legitimate password is set to 34250003024812, login is still possible using TyNOQHUS due to both hash values evaluating to 0e..., which is treated as zero during loose comparison.
To fix this, it is recommended to replace the == operator with the strict identity operator ===.
###Impact
This issue falls under the Login Bypass vulnerability class. Users with certain "weird" passwords that produce magic hashes are particularly affected. Services relying on this logic are at risk of unauthorized access.
Sakuya9461 Reporter
Summary
A vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP.
Detail
In the latest version of the application, a password comparison is performed using the == operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypass authentication.
if ((isset($_SESSION["login"]) && ($_SESSION["login"] == 1)) || (isset($_COOKIE[$CookieSaveLoginName]) && $nax_Password == $_COOKIE[$CookieSaveLoginName]))Because of the use of == instead of the strict ===, different strings that begin with 0e and are followed by only digits can be interpreted as scientific notation (i.e., zero) and treated as equal.
PoC
Below is a GitHub reference containing a list of SHA-256 magic hashes used in the proof of concept:
https://github.com/spaze/hashes/blob/master/sha256.md
For instance, even if the legitimate password is set to
34250003024812, login is still possible usingTyNOQHUSdue to both hash values evaluating to0e..., which is treated as zero during loose comparison.To fix this, it is recommended to replace the == operator with the strict identity operator ===.
###Impact
This issue falls under the Login Bypass vulnerability class. Users with certain "weird" passwords that produce magic hashes are particularly affected. Services relying on this logic are at risk of unauthorized access.