This repository has been archived by the owner on Dec 13, 2022. It is now read-only.
fix(secu): Type juggling can lead to authentication bypass in (very) … #7084
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rare cases The '==' operator is a loose comparison operator, whereas the '===' does a strict comparison. The truth table of the '==' operator is quite ugly (https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf) and can lead to undesirable integer promotion results. For instance, when loose comparing something that looks like integers, PHP will promote both strings to integers. Example: if the user's token starts with "0e" and is followed by numbers, it is bypassable by the string "00" because in PHP, ("0e123456" == "00") is TRUE. http://192.168.56.3/centreon/index.php?p=1&autologin=1&useralias=admin&token=00 Altough, the probabilty this can happen to e.g. the token is very low: 1/62 * (2/62) * (10/62)^6
miteto
approved these changes
Feb 26, 2019
sc979
approved these changes
Feb 26, 2019
|
New branch created for the validation MON-3306-gquere-authentication_bypass |
miteto
pushed a commit
that referenced
this pull request
Mar 14, 2019
…rare cases (#7084) The '==' operator is a loose comparison operator, whereas the '===' does a strict comparison. The truth table of the '==' operator is quite ugly (https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf) and can lead to undesirable integer promotion results. For instance, when loose comparing something that looks like integers, PHP will promote both strings to integers. Example: if the user's token starts with "0e" and is followed by numbers, it is bypassable by the string "00" because in PHP, ("0e123456" == "00") is TRUE. http://192.168.56.3/centreon/index.php?p=1&autologin=1&useralias=admin&token=00 Altough, the probabilty this can happen to e.g. the token is very low: 1/62 * (2/62) * (10/62)^6
miteto
pushed a commit
that referenced
this pull request
Mar 14, 2019
…rare cases (#7084) The '==' operator is a loose comparison operator, whereas the '===' does a strict comparison. The truth table of the '==' operator is quite ugly (https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf) and can lead to undesirable integer promotion results. For instance, when loose comparing something that looks like integers, PHP will promote both strings to integers. Example: if the user's token starts with "0e" and is followed by numbers, it is bypassable by the string "00" because in PHP, ("0e123456" == "00") is TRUE. http://192.168.56.3/centreon/index.php?p=1&autologin=1&useralias=admin&token=00 Altough, the probabilty this can happen to e.g. the token is very low: 1/62 * (2/62) * (10/62)^6
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…rare cases
The '==' operator is a loose comparison operator, whereas the '===' does a strict comparison.
The truth table of the '==' operator is quite ugly (https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf) and can lead to undesirable integer promotion results.
For instance, when loose comparing something that looks like integers, PHP will promote both strings to integers.
Example: if the user's token starts with "0e" and is followed by numbers, it is bypassable by the string "00" because in PHP, ("0e123456" == "00") is TRUE.
http://192.168.56.3/centreon/index.php?p=1&autologin=1&useralias=admin&token=00
Altough, the probabilty this can happen to e.g. the token is very low:
1/62 * (2/62) * (10/62)^6
PLEASE NOTE THAT THIS PULL REQUEST IS TO INFORM YOU OF A SECURITY PROBLEM AND HAS NOT BEEN PROPERLY TESTED.