Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 May 2015 10:21:09 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: PHP and some == wonkiness

https://news.ycombinator.com/item?id=9484757 read the entire thread for
an ongoing series of "what the heck?".

Some examples include:
=================
This is well-known PHP-trick. Use === to right result.
  php > var_dump(md5('240610708') == md5('QNKCDZO'));
  bool(true)
  php > var_dump(md5('240610708'),   md5('QNKCDZO'));


  string(32) "0e462097431906509019562988736854"
  string(32) "0e830400451993494058024219903391"
  php > var_dump(md5('240610708') ===   md5('QNKCDZO'));


  bool(false)
  php > var_dump("0e462097431906509019562988736854" ==
"0e830400451993494058024219903391");
  bool(true)
  php > var_dump("0e462097431906509019562988736854" ===
"0e830400451993494058024219903391");
  bool(false)
  php > var_dump(md5('240610708') ===   md5('QNKCDZO'));


  bool(false)
  php > var_dump(md5('240610708') ==   md5('QNKCDZO'));

  bool(true)
  php > var_dump(md5('240610708') === md5('QNKCDZO'));
  bool(false)
=================

I'm guessing there is more than a bit of code that uses == to compare
passwords/etc. Something to be aware of.


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ