Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Pádraic Brady:
PHP’s “Magic Hash” Vulnerability (Or Beware Of Type Juggling)
May 14, 2015 @ 12:19:43

Pádraic Brady has a new post to his site talking about the recently announced (but actually relatively old) issue with PHP hash comparison, the "magic hash" issues.

A while back, I noticed a flurry of activity around a somewhat obvious outcome of PHP’s type juggling antics. As the snowball gathered pace and grew, it’s being more widely reported as a vulnerability dubbed “Magic Hashes”. What is this mysterious potential vulnerability in PHP applications? The vulnerability is a straightforward outcome of PHP’s type juggling antics.

He talks about the == (double equals) versus === (triple equals), how they differ and how the use of the triple equals basically negates this issue. The problem comes back around to PHP's type juggling and how it assumes equality based on the data given. He includes some specific examples showing places the issue can happen even when comparing two variables of the same type. He also makes a mention of another issue that can come in separate from this called timing attacks and how to prevent them as well.

tagged: magichash vulnerability typejuggling timing attack doubleequals tripleequals

Link: http://blog.astrumfutura.com/2015/05/phps-magic-hash-vulnerability-or-beware-of-type-juggling/

Security Affairs:
PHP hash comparison flaw is a risk for million users
May 12, 2015 @ 09:15:10

A recent issue has come (back) to light in the security community around how PHP compares hashes. In this post to the Security Affairs site they talk about the problem of hash comparison and how to prevent the issue in your own PHP code.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says. VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

The problem comes with how PHP handles its typing behind the scenes mostly. When a string starts with "0e.." PHP interprets it as scientific notation and sees it as a value equal to zero. As a result, two strings, even if they don't match, that start with "0e..." will evaluate as equal. Fortunately, the answer is relatively simple (though could be time consuming to fix): change == (double equals) to === (triple equals). This prevents PHP from trying to do the type juggling and compare them on the types they are when presented (string to string in the case of hashes).

tagged: hash comparison flaw doubleequals tripleequals

Link: http://securityaffairs.co/wordpress/36732/hacking/php-hash-comparison-flaw.html