diff options
author | nashe <contact@nashe.fr> | 2015-08-03 18:51:51 +0200 |
---|---|---|
committer | nashe <contact@nashe.fr> | 2015-08-03 18:51:51 +0200 |
commit | 6ad38c58a45642eb8c7844e2f272ef199f59550d (patch) | |
tree | 4d315369073a15add85b1428b9777fc8b90a23f6 | |
parent | 07aa4f5484dfefe4d9d5870b31d2e2269583fdd2 (diff) | |
download | planet-6ad38c58a45642eb8c7844e2f272ef199f59550d.tar planet-6ad38c58a45642eb8c7844e2f272ef199f59550d.tar.gz planet-6ad38c58a45642eb8c7844e2f272ef199f59550d.tar.bz2 planet-6ad38c58a45642eb8c7844e2f272ef199f59550d.tar.xz planet-6ad38c58a45642eb8c7844e2f272ef199f59550d.zip |
Avoid type juggling vulnerability.
Password comparison should not be done with the `==` operator, but
`===`, due to type juggling.
References:
* http://phpsadness.com/sad/47
*
turbochaos.blogspot.fr/2013/08/exploiting-exotic-bugs-php-type-juggling.
html
### Test case
* Create an administrator with the password "240610708".
* Try to login to the dashboard with the password "QNKCDZO" :-)
-rw-r--r-- | admin/inc/auth.inc.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/admin/inc/auth.inc.php b/admin/inc/auth.inc.php index d21467b..8704737 100644 --- a/admin/inc/auth.inc.php +++ b/admin/inc/auth.inc.php @@ -1,11 +1,11 @@ <?php include (dirname(__FILE__).'/pwd.inc.php'); -if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] == $password ) { +if ( isset($_COOKIE['auth']) && $_COOKIE['auth'] === $password ) { //ok, cool } else { setcookie('auth','', time()-3600); header('Location: login.php'); die; } -?>
\ No newline at end of file +?> |