Baikal: Authentication bypass

Created on 11 Mar 2017  ·  3Comments  ·  Source: sabre-io/Baikal

The file PDOBasicAuth is vulnerable to an authentication bypass in the validateUserPass function:

    function validateUserPass($username, $password) {

        $stmt = $this->pdo->prepare('SELECT username, digesta1 FROM ' . $this->tableName . ' WHERE username = ?');
        $stmt->execute([$username]);
        $result = $stmt->fetchAll();


        if (!count($result)) return false;

        $hash = md5($username . ':' . $this->authRealm . ':' . $password);
        if ($result[0]['digesta1'] == $hash)
        {
            $this->currentUser = $username;
            return true;
        }
        return false;

    }

Using the == operator make the authentication test vulnerable to type juggling: if the expected hash ($result[0]['digesta1']) starts with0e, it will match against any hash that also starts with0e`.

A way to fix this would be to use the === operator instead.

picture jvoisin
👍2

Most helpful comment

The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on 0.5.2.

picture ByteHamster on 26 Apr 2019
2

All 3 comments

If that's the case, I think the maintainer of this tool are happy about a pull request from you :smile:

chrisdecker1201 picture chrisdecker1201 on 5 Apr 2017
👎1

Still md5? =(

DanielRuf picture DanielRuf on 4 Aug 2017

The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on 0.5.2.

ByteHamster picture ByteHamster on 26 Apr 2019
2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

perguth picture perguth  ·  7Comments
benrubson picture benrubson  ·  5Comments
BobWs picture BobWs  ·  8Comments
lunixyacht picture lunixyacht  ·  8Comments
GrayGhost93 picture GrayGhost93  ·  5Comments