A Typo Can Make You an Administrator
You are a developer. You put a lot of effort into making sure that your code is safe. You never trust user input, you use the best security-related development libraries. And then you make one small typo and everything is ruined.
This is not fiction. Not long ago, a pentester known as Daniel C found such a vulnerability in the PHP code of an older version of Xceedium Xsuite. This vulnerability has been patched quite some time ago but it proves how little is needed for a serious security issue to appear.
In this case, the developer typed return flase instead of return false in PHP code. Due to the forgiving nature of PHP, return flase returns the string flase, which has a logical value of true. However, PHP is not the only language where such a situation may happen.
The function where the typo appeared was used to check a shared key provided via the $get variable:
function checkSharedKey($shared_key) {
if (strlen($shared_key) != 32) {
return false;
}
if (trim($shared_key) == "") {
return flase;
}
To bypass the check, Daniel needed to provide a key that had a length of 32 bytes and that gave an empty string as a result of the trim() function. He was able to do it by supplying for example 32 spaces or 32 tabs.
Tomasz Andrzej Nidecki Technical Content WriterLinkedIn: https://mt.linkedin.com/in/tonid
Tomasz Andrzej Nidecki (also known as tonid) is a Technical Content Writer working for Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.
*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Tomasz Andrzej Nidecki. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/Pm8I6IdNp3M/
