PHP logic error and some == wonkiness

2015.05.04

Credit: Kurt Seifried

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

https://news.ycombinator.com/item?id=9484757 read the entire thread for an ongoing series of "what the heck?".

Some examples include:
=================
This is well-known PHP-trick. Use === to right result.
  php > var_dump(md5('240610708') == md5('QNKCDZO'));
  bool(true)
  php > var_dump(md5('240610708'),   md5('QNKCDZO'));


  string(32) "0e462097431906509019562988736854"
  string(32) "0e830400451993494058024219903391"  php > var_dump(md5('240610708') ===   md5('QNKCDZO'));


  bool(false)
  php > var_dump("0e462097431906509019562988736854" == "0e830400451993494058024219903391");
  bool(true)
  php > var_dump("0e462097431906509019562988736854" === "0e830400451993494058024219903391");
  bool(false)
  php > var_dump(md5('240610708') ===   md5('QNKCDZO'));
  bool(false)
  php > var_dump(md5('240610708') ==   md5('QNKCDZO'));
  bool(true)
  php > var_dump(md5('240610708') === md5('QNKCDZO'));
  bool(false)
=================

I'm guessing there is more than a bit of code that uses == to compare
passwords/etc. Something to be aware of.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud

References:

https://news.ycombinator.com/item?id=9484757

http://seclists.org/oss-sec/2015/q2/356

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP logic error and some == wonkiness

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.