PHP hash comparison flaw is a risk for million users

Pierluigi Paganini May 11, 2015

New PHP vulnerability dubbed ‘Magic Hash’ being found by Robert Hansen (aka RSnake) of WhiteHat Security can enable attackers into breaching users’ accounts.

New vulnerability dubbed ‘Magic Hash’ being found by Robert Hansen (aka RSnake) of WhiteHat Security can enable attackers into breaching users’ accounts.

Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says.

VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.

PHP backdoor sample 2

The problem occurs in the way hashed strings are handled by PHP when either “!=” or “==” (double equal) operators are being utilized to compare ‘em. Whenever any of these 2 operators gets to use for comparing the hashes, PHP interprets every hashed value that begins with the ‘0e’ with 0 as the value for it.

The issue mostly affects authentication, but it could also effect “forgot password” flows, nonces, binary checking, cookies, and passwords, among other things, Hansen, aka RSnake, told Dark Reading. “It totally depends on the website, and how it’s constructed.”

“Think of “0e…” as being the scientific notation for “0 to the power of some value” and that is always “0”, Hansen noted in a blog post Friday. “PHP interprets the string as an Integer.”

So take it as if two passwords are being hacked and the hashed values for both beings with ‘0e’ that’s followed with numerals, PHP is going to intercept both of them as having same value being 0. Despite the fact that hash values associated with these two passwords a different all together, still PHP would treat both as number 0 in case 0e is what with which they begin and whenever either ‘!=’ or ‘==’ are used.

There is no doubt that implications of the issue are huge, as it gives the attackers a way for trying and compromising users’ account simply by inserting a string of code that whenever hashed is equated to the 0 by PHP. Hansen said, if a password in the database is represented the same way, the attacker will get access to the account.

Hansen said, the problem itself has been known for at least a year. But what hasn’t been available are examples of hash types that when hashed begin with the ‘0e’ format that ends up getting equated to zero, he added further.

Hansen listed a decent number of “magic” numbers that can be used for the passwords, which whenever hashed, get treated as Zero by the PHP.

When such hashes are compared against the hashes of actual password, values that are also treated as 0 by PHP they end up getting evaluated as being equivalent, or true. In such cases attackers will be able to log into the account without the valid password, he said.

To find strings, he iterated more than one billion ‘hashed’ integers of various hash types such as SHA1 and MD5. Though the trick was not much sufficient it worked reasonably good to find string codes that triggered weakness for the most hash-algorithms having 32 characters (or less) as their length, stated Hansen in his blog.

Hansen stated he estimated the chances of a 32-character hash triggering the issue was somewhere in the range of 1 in 200 million. Now it might look like a low probability to many folks, but still, most of the times it’s enough for the attackers who go with trying and triggering the flaw – more specifically, websites with high volume of traffic or those who’ve a number of credentials.

He said, addressing the problem is very simple. Websites using PHP should analyze their code for hash comparisons in PHP using ‘==’ or ‘!= and change them to ‘===’ or ‘!==’ respectively, said Hansen.

Written by: Ali Qamar, Founder/Chief Editor at

Author Bio:
Ali Qamar is an Internet security research enthusiast who enjoys “deep” research to dig out modern discoveries in the security industry. He is the founder and chief editor at Security Gladiators, an ultimate source for cyber security. To be frank and honest, Ali started working online as a freelancer and still shares the knowledge for a living. He is passionate about sharing the knowledge with people, and always try to give only the best. Follow Ali on Twitter @AliQammar57

Pierluigi Paganini

(Security Affairs –  PHP, hacking)

you might also like

leave a comment