CVE-2018-10362 (GCVE-0-2018-10362)

Vulnerability from cvelistv5 – Published: 2018-04-25 05:00 – Updated: 2024-08-05 07:39
VLAI?
Summary
An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with '==' instead of '===' in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like '2e2' for '200' or '0e1234' for '0'). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with '==' casts the user input (e.g., the string '200' or '0') to a number, too. Hence the attacker can login with just a '0' or a simple number he has to brute force. Strong comparison with '===' prevents the cast into numbers.
Severity ?
No CVSS data available.
CWE
  • n/a
Assigner
References
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T07:39:07.431Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/phpLiteAdmin/pla/issues/11"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-04-25T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with \u0027==\u0027 instead of \u0027===\u0027 in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like \u00272e2\u0027 for \u0027200\u0027 or \u00270e1234\u0027 for \u00270\u0027). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with \u0027==\u0027 casts the user input (e.g., the string \u0027200\u0027 or \u00270\u0027) to a number, too. Hence the attacker can login with just a \u00270\u0027 or a simple number he has to brute force. Strong comparison with \u0027===\u0027 prevents the cast into numbers."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-04-25T05:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/phpLiteAdmin/pla/issues/11"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-10362",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with \u0027==\u0027 instead of \u0027===\u0027 in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like \u00272e2\u0027 for \u0027200\u0027 or \u00270e1234\u0027 for \u00270\u0027). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with \u0027==\u0027 casts the user input (e.g., the string \u0027200\u0027 or \u00270\u0027) to a number, too. Hence the attacker can login with just a \u00270\u0027 or a simple number he has to brute force. Strong comparison with \u0027===\u0027 prevents the cast into numbers."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html",
              "refsource": "MISC",
              "url": "http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html"
            },
            {
              "name": "https://github.com/phpLiteAdmin/pla/issues/11",
              "refsource": "MISC",
              "url": "https://github.com/phpLiteAdmin/pla/issues/11"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-10362",
    "datePublished": "2018-04-25T05:00:00",
    "dateReserved": "2018-04-25T00:00:00",
    "dateUpdated": "2024-08-05T07:39:07.431Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-10362\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-04-25T05:29:00.313\",\"lastModified\":\"2024-11-21T03:41:15.950\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with \u0027==\u0027 instead of \u0027===\u0027 in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like \u00272e2\u0027 for \u0027200\u0027 or \u00270e1234\u0027 for \u00270\u0027). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with \u0027==\u0027 casts the user input (e.g., the string \u0027200\u0027 or \u00270\u0027) to a number, too. Hence the attacker can login with just a \u00270\u0027 or a simple number he has to brute force. Strong comparison with \u0027===\u0027 prevents the cast into numbers.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en phpLiteAdmin, desde la versi\u00f3n 1.9.5 hasta la 1.9.7.1. Debido a una comparaci\u00f3n vaga con \\\"==\\\" en lugar de \\\"===\\\" en classes/Authorization.php para la contrase\u00f1a de inicio de sesi\u00f3n proporcionada por el usuario, es posible iniciar sesi\u00f3n con una contrase\u00f1a m\u00e1s simple si la contrase\u00f1a est\u00e1 en forma de potencia en notaci\u00f3n cient\u00edfica (como  \\\"2e2\\\" para \\\"200\\\" o \\\"0e1234\\\" para \\\"0\\\"). Esto es posible porque, en el caso de la comparaci\u00f3n vaga, PHP interpreta las cadenas como un n\u00famero en notaci\u00f3n cient\u00edfica y, por lo tanto, la convierte en un n\u00famero. Tras eso, la comparaci\u00f3n con \\\"==\\\" tambi\u00e9n convierte las entradas del usuario (por ejemplo, las cadenas \\\"200\\\" o \\\"0\\\") a un n\u00famero. Por lo tanto, el atacante puede iniciar sesi\u00f3n con solo un \\\"0\\\" o con un n\u00famero simple que debe adivinar mediante fuerza bruta. Las comparaciones fuertes con \\\"===\\\" evitan la conversi\u00f3n a n\u00famero.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:phpliteadmin:phpliteadmin:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.9.5\",\"versionEndIncluding\":\"1.9.7.1\",\"matchCriteriaId\":\"C5B28B97-F635-4E13-80F5-B993782391CE\"}]}]}],\"references\":[{\"url\":\"http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Technical Description\",\"Third Party Advisory\",\"URL Repurposed\"]},{\"url\":\"https://github.com/phpLiteAdmin/pla/issues/11\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Technical Description\",\"Third Party Advisory\",\"URL Repurposed\"]},{\"url\":\"https://github.com/phpLiteAdmin/pla/issues/11\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.