Fix type juggling vulnerability

Maximilian Wirtz · LarsMichelsen · commit 7574fd8a2903 · 2022-08-29T21:23:23.000+02:00
PHP evaluates `!=` a bit loose on the type. So "0000" == "0e5678" is
true in PHP. An attacker could send a zeroed cookie_hash `"0"*32` and
only need an collision with a calculated hash beginning with `0e`
followed by only numbers.

In our tests (with auth.secret set to `stable`) a valid cookie is
`cmkadmin:58191275:00000000000000000000000000000000`.

For a remote attacker this would have needed 58,191,275 guesses.
diff --git a/share/server/core/classes/CoreLogonMultisite.php b/share/server/core/classes/CoreLogonMultisite.php
@@ -114,12 +114,10 @@ private function checkAuthCookie($cookieName) {
             $hash = $this->generateHash($username, $sessionId, (string) $user_secret);
 
         // Validate the hash
-        if ($cookieHash != $hash) {
+        if ($cookieHash !== $hash) {
             throw new Exception();
         }
 
-        // FIXME: Maybe renew the cookie here too
-
         return $username;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -114,12 +114,10 @@ private function checkAuthCookie($cookieName) {`
`114`	`114`	`$hash = $this->generateHash($username, $sessionId, (string) $user_secret);`
`115`	`115`
`116`	`116`	`// Validate the hash`
`117`		`- if ($cookieHash != $hash) {`
	`117`	`+ if ($cookieHash !== $hash) {`
`118`	`118`	`throw new Exception();`
`119`	`119`	`}`
`120`	`120`
`121`		`- // FIXME: Maybe renew the cookie here too`
`122`		`-`
`123`	`121`	`return $username;`
`124`	`122`	`}`
`125`	`123`