oss-sec mailing list archives
Re: PHP and some == wonkiness
From: Grandma Eubanks <tborland1 () gmail com>
Date: Tue, 5 May 2015 12:07:02 -0500
http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html Your examples are seen often, and the md5 comparison example was exploited in SMF as my public exploit shows in the above link. if (empty($_POST['code']) || substr($realCode, 0, 10) != substr(md5($_POST['code']), 0, 10)) [4] { // Stop brute force attacks like this. validatePasswordFlood($_POST['u'], $flood_value, false); [5] There's also other interesting oddities with their juggling system. I provide several links to how you can see them, but one of my favorites is: if ($input < "30") { print("$input < 30\t"); print((int)$input); } You can see how this is bypassed under the "Math is Crazy" section and then think on how this can be extrapolated. On Tue, May 5, 2015 at 4:01 AM, mancha <mancha1 () zoho com> wrote:
On Tue, May 05, 2015 at 08:24:42AM +0000, mancha wrote:On Tue, May 05, 2015 at 09:44:00AM +0200, Florian Weimer wrote:On 05/05/2015 09:26 AM, mancha wrote:Taking sha1 as our reference hash and "==" as our equivalence relation: All [a-f][0-9a-f]{39} are in equivalence class A. All 42[a-f][0-9a-f]{37} are in equivalence class B. Note: those regexes aren't representative of the full equivalence classes because prepending 0s doesn't alter the value (i.e. 0[a-f][0-9a-f]{38} is in equivalence class "A" as well..I cannot reproduce this. Or you use “equivalence class” in a non-standard way. -- Florian Weimer / Red Hat Product SecurityI was using "equivalence class" in a standard way but mis-understood PHP's casting rules when comparing strings so never mind that comment. To raise the SNR back up, I agree with your assessment if we account for prepended 0s. So out of the 16^40 total hashes, I believe 10^38+10^37+...+10^1 of them will evaluate to float(0). A bit higher than your estimate (which only considered 10^38 of them). Same order of magnitude though. --manchaThat has a small off-by-one because 40 0s will be cast to float(0) when compared to those. Also, we have equivalence classes such as: 2e00000000000000000000000000000000000001 02e0000000000000000000000000000000000001 ... 0000000000000000000000000000000000002e01 00000000000000000000000000000000000002e1 0000000000000000000000000000000000000020 --mancha
Current thread:
- PHP and some == wonkiness Kurt Seifried (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Florian Weimer (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness mancha (May 05)
- Re: PHP and some == wonkiness Grandma Eubanks (May 05)
- Re: PHP and some == wonkiness Sliv TaMere (May 06)
- Re: PHP and some == wonkiness Florian Weimer (May 04)
- Re: PHP and some == wonkiness Pádraic Brady (May 04)