The file PDOBasicAuth is vulnerable to an authentication bypass in the validateUserPass
function:
function validateUserPass($username, $password) {
$stmt = $this->pdo->prepare('SELECT username, digesta1 FROM ' . $this->tableName . ' WHERE username = ?');
$stmt->execute([$username]);
$result = $stmt->fetchAll();
if (!count($result)) return false;
$hash = md5($username . ':' . $this->authRealm . ':' . $password);
if ($result[0]['digesta1'] == $hash)
{
$this->currentUser = $username;
return true;
}
return false;
}
Using the ==
operator make the authentication test vulnerable to type juggling: if the expected hash ($result[0]['digesta1']) starts with
0e, it will match against any hash that also starts with
0e`.
A way to fix this would be to use the ===
operator instead.
If that's the case, I think the maintainer of this tool are happy about a pull request from you :smile:
Still md5? =(
The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on 0.5.2
.
Most helpful comment
The authentication bypass is fixed in the new 0.5.2 release. Feel free to re-open the issue if you can still reproduce the problem on
0.5.2
.