Today I Learned - Rocky Kev

TIL how PHP treats the loose comparison (==) sign

POSTED ON:

TAGS: php security

5 == "5 of something" is in practice treated as 5 == 5.

PHP will effectively convert the entire string to an integer value based on the initial number. The rest of the string is ignored completely!

But if there's no number, it treats it as true!

0 == "Example string" // true

When does it become a problem?

$login = unserialize($_COOKIE);

if ($login['password'] == $password) {
// log in successfully
}

Let's say an attacker modified the password attribute so that it contained the integer 0 instead of the expected string.

As long as the stored password does not start with a number, the condition would always return true, enabling an authentication bypass.

Note that this is only possible because deserialization preserves the data type. If the code fetched the password from the request directly, the 0 would be converted to a string and the condition would evaluate to false.

Via Exploiting insecure deserialization vulnerabilities

Related TILs

Tagged: php

TIL how NGINX knows to look for index.html vs index.php

What happens when visitor hits /foo/bar URL?

TIL php-fpm

PHP runs as a separated service when using PHP-FPM. By using this PHP version as language interpreter, requests are processed through a TCP/IP socket; so that the Nginx web server only handles the HTTP requests and PHP-FPM interprets the PHP code. The fact of having two separate services is key for increasing efficiency.

TIL the difference between single-threaded & multi-threaded architecture

For web dev, we don't need it. We're not bottle-necked by the processing power. We're instead bottlenecked by the ability to read files/databases. We can simulate multi-threading (and improve our app's performance) using async/await.