Rename password variable to 'passwd' in login.php#37
Conversation
![console-local[bot]](https://avatars.githubusercontent.com/in/3068342?s=60&v=4){kind=small}
| $passwd = $input['password']; | ||
|
|
||
| if ($username == ADMIN_USERNAME && $password == ADMIN_PASSWORD) { | ||
| if ($username == ADMIN_USERNAME && $passwd == ADMIN_PASSWORD) { |
There was a problem hiding this comment.
Gist: This allows complete authentication bypass with a trivial payload. An attacker can send {"username": true, "password": true} to gain admin access without knowing any credentials. This is extremely easy to exploit and critical to fix immediately.
Detection Agent: PHP Loose Comparison in Authentication
Severity: Critical
Description
The authentication check uses loose comparison (==) to compare user-supplied credentials against expected values. Since the input comes from json_decode(), which preserves native types (boolean, integer, null), this is vulnerable to type juggling attacks. An attacker can bypass authentication by sending {"username": true, "password": true} because in PHP, true == "any_string" evaluates to true.
Remediation
Replace loose comparison (==) with strict comparison (===) for all credential checks: if ($username === ADMIN_USERNAME && $passwd === ADMIN_PASSWORD). For production systems, use password_verify() with properly hashed passwords instead of comparing plaintext credentials.
Policy: PHP Loose Comparison in Authentication
1 participant
No description provided.