[evolvis-commits] r18333: small-fixes pending merges:↵ Thorsten Glaser 2012-04-12 another type-coërcing vulnerability↵ Thorsten Glaser 2012-04-12 SECURITY: use non-coërcing comparison with MD5 values

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Apr 12 10:42:05 CEST 2012


Author: mirabilos
Date: 2012-04-12 10:42:04 +0200 (Thu, 12 Apr 2012)
New Revision: 18333

Modified:
   trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
Log:
small-fixes pending merges:
  Thorsten Glaser 2012-04-12 another type-coërcing vulnerability
    Thorsten Glaser 2012-04-12 SECURITY: use non-coërcing comparison with MD5 values

Vulnerability identifier: FEFE-b17a03df

Modified: trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-11 12:04:05 UTC (rev 18332)
+++ trunk/gforge_base/evolvisforge-5.1/src/common/include/session.php	2012-04-12 08:42:04 UTC (rev 18333)
@@ -47,7 +47,7 @@
 function session_build_session_cookie($user_id) {
 	if (strlen(forge_get_config('host_uuid')) < 12 ||
 	    /* also catch MD5(empty string) */
-	    forge_get_config('host_uuid') == 'd41d8cd98f00') {
+	    forge_get_config('host_uuid') === 'd41d8cd98f00') {
 		exit_error('ATTN sysadmin: upgrade your host_uuid');
 	}
 	$session_serial = $user_id . '-*-' . time() . '-*-' .
@@ -86,7 +86,7 @@
 	$new_hash = md5(forge_get_config('host_uuid') .
 	    $session_serial . forge_get_config('session_key'));
 
-	if ($hash != $new_hash) {
+	if ($hash !== $new_hash) {
 		return false;
 	}
 
@@ -198,13 +198,13 @@
 
 		// Compare (crypt) unix_pw first
 		$is_valid = false;
-		if (crypt($passwd, $usr['unix_pw']) == $usr['unix_pw']) {
+		if (crypt($passwd, $usr['unix_pw']) === $usr['unix_pw']) {
 			$is_valid = true;
 		} else if (
 			/* check for "{crypt}foo" */
 			strlen($usr['unix_pw']) >= 8 &&
 			substr($foo, 0, 7) == '{crypt}' &&
-			crypt($passwd, substr($usr['unix_pw'], 7)) ==
+			crypt($passwd, substr($usr['unix_pw'], 7)) ===
 			substr($usr['unix_pw'], 7)) {
 			/* we regenerate both user_pw and unix_pw below → ok */
 			$is_valid = true;
@@ -253,7 +253,7 @@
 		$usr = db_fetch_array($res);
 		$num_uid = $usr['user_id'];
 
-		if (crypt($passwd, $usr['unix_pw']) == $usr['unix_pw']) {
+		if (crypt($passwd, $usr['unix_pw']) === $usr['unix_pw']) {
 			$is_valid = true;
 		} else {
 			$is_valid = false;



More information about the evolvis-commits mailing list