Fix Type Juggling Bypass in Auth Functions#2542
Fix Type Juggling Bypass in Auth Functions#2542LeoColomb merged 1 commit intoYOURLS:masterfrom Wocanilo:master
Conversation
dgw
left a comment
There was a problem hiding this comment.
There are probably more places where === should be used instead of ==, that aren't security-related, too. This is a good idea.
|
I have a test yourls installation that some bots were able to find and are once in a while injecting some malicious shortened URL into... I applied this patch, but it's still happening. Any ideas? |
|
@skaag most likely something else involved. URL of your test install ? |
This is it (It has just 3 shortened links on it as a test, works fine so far): |
|
@ozh : |
|
Soooooo.... "bots" found and are "injecting" URL ... on your publicly available interface? Hmmkey. |
The auth functions are vulnerable to Type Jugging attacks. Non strict comparisions can be used by an attacker to bypass auth and gain access to the admin page and API.
If PHP decides that both operands looks like numbers, it will convert both an perform numeric comparision. Ex: "0e348324" == "0e99" is true
This commit fixes 4 vulnerabilities:
At last, the time limited token functionality can be abused to gain unauthorised access to the API without any requisite. Again, a type juggling attack is posible, but this time the attacker controls the result of the MD5, so thousands of requests can be made till the resultand hash takes the form of a number. We can bypass the YOURLS_NONCE_LIFE by introducing decimals in the timestamp, making the attack viable.
References:
https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf