tag:blogger.com,1999:blog-4984553587728477254.post6120632615545595972..comments2023-04-10T03:25:30.651-07:00Comments on Regalado (In) Security: Unauthorized Access: Bypassing PHP strcmp()Danuxhttp://www.blogger.com/profile/06729243424924753220noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-4984553587728477254.post-63845087033404708802013-08-08T07:21:50.547-07:002013-08-08T07:21:50.547-07:00The lack of knowledge of a few commenters around h...The lack of knowledge of a few commenters around here, either make me laugh or cry. The ones that think lacking knowledge of how a function works is a language "security" bug; should either stop pretending to be "security people", or stop commenting until much later when they have more knowledge. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-38645347837808281982013-07-17T03:05:17.903-07:002013-07-17T03:05:17.903-07:00PHP is best and world popular programming language...PHP is best and world popular programming language. Today all user want <a href="http://www.greymatterindia.com/php-application-development" rel="nofollow">PHP web application development</a> because it is easy to manage and so cheap also. It is fast to develop and user friendly also.Anonymoushttps://www.blogger.com/profile/00955787291027938829noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-86420625124028395322013-06-27T14:18:05.657-07:002013-06-27T14:18:05.657-07:00This blog is really informative i really had fun r...This blog is really informative i really had fun reading it.Anonymoushttps://www.blogger.com/profile/03606120862771872382noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-42429942679197727822013-03-06T10:19:11.577-08:002013-03-06T10:19:11.577-08:00I think that since PHP is open source we need to u...I think that since PHP is open source we need to use it "on our own risk" :-(<br /><br />Still I am wondering why not disable "==" operand in strcmp command and just allow "==="? compatibility/legacy issues? I am sure, there must be a valid reason.Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-988116950956706342013-03-06T10:15:48.381-08:002013-03-06T10:15:48.381-08:00Hi Anonymous, I did not spoof my IP, as explained ...Hi Anonymous, I did not spoof my IP, as explained in the blog that was not an option. You could spoof your IP address by creating a socket from scratch and changing the source IP in the packet so that Apache sets REMOTE_ADDR env variable to 127.0.0.1 and therefore PHP get the same information, this scenario work one way since no response will be received from the web app.Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-76834036472918810632013-03-05T22:33:37.880-08:002013-03-05T22:33:37.880-08:00Do you know what answer you'd get if you post ...Do you know what answer you'd get if you post a bug ticket in the PHP tracker, for a security issue that possibly affects tens of thousands of sites? "Thank you for your report, but this is not a bug." Every wrong, misguided, insane or simply meaningless behavior in PHP is dismissed as "works as intended" by the dev team.lanzzhttp://twitter.com/_lanzz_noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-42548998357996585722013-03-05T15:57:13.518-08:002013-03-05T15:57:13.518-08:00Hi,
My team solved that challenge in same way, bu...Hi,<br /><br />My team solved that challenge in same way, but I am wondering how exactly do you spoof $_SERVER['REMOTE_ADDR']?<br />I know you can spoof some headers, but not REMOTE_ADDR (as it is not a header).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-14925103897871032802013-03-04T08:03:45.161-08:002013-03-04T08:03:45.161-08:00On PHP 5.2.13 and 5.2.17, I can't get strcmp t...On PHP 5.2.13 and 5.2.17, I can't get strcmp to return zero when comparing the string "danux" to the array ('id' => '127.0.0.1', 'ps' => 'bar'). It always returns 1 or -1, depending on the order.<br /><br />Dan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-48377580533582083202013-03-04T03:58:01.453-08:002013-03-04T03:58:01.453-08:00I do not understand why use "strcmp()" i...I do not understand why use "strcmp()" instead of "===". The first is for comparison, the second - for equality test. I think for password hashes it is not necessary to compare, e.g., to know whether the result is lesser or greater than.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-48906998687236607612013-03-04T02:24:45.954-08:002013-03-04T02:24:45.954-08:00Did you try using the X-Forwarded-For HTTP header...Did you try using the X-Forwarded-For HTTP header to "spoof" ip address? If this is included in the request, it often winds up being used as remote address instead of the actual TCP endpoint, which is assumed to belong to a http proxy. Martin Holst Swendehttps://www.blogger.com/profile/13850299138240471232noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-91736812044054857582013-03-03T23:19:17.633-08:002013-03-03T23:19:17.633-08:00Cool stuff guys, thanks for sharing, honestly I di...Cool stuff guys, thanks for sharing, honestly I did not even know about the "===" operand.Danuxhttps://www.blogger.com/profile/06729243424924753220noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-2525397310236988132013-03-03T22:48:34.639-08:002013-03-03T22:48:34.639-08:00Very interesting post.
I've noticed the behav...Very interesting post.<br /><br />I've noticed the behavior of strcmp() is difference between PHP 5.2 and PHP 5.3+.<br /><br />In PHP 5.2, strcmp('Array', array()) returns 0 (not NULL) because arguments of this function should be converted to String (see also: http://jp2.php.net/manual/en/language.types.string.php#language.types.string.casting).<br /><br />But, since PHP 5.3, strcmp('...', array()) returns NULL as you say.<br /><br />I can't find some descriptions about this changes yet, but here's the trigger commit:<br />https://github.com/php/php-src/commit/58a673a9094bd26453e2b910b87ae45800ecc88c#L11L326<br />Oh by removing convert_to_string_ex(), strcmp() returns NULL in case of its arguments are an array().<br /><br />It's very interesting thing too, isn't it?Kousuke Ebiharahttp://co3k.org/noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-87709754227511891692013-03-03T15:36:48.874-08:002013-03-03T15:36:48.874-08:00This is because on error strcmp() returns NULL, wh...This is because on error strcmp() returns NULL, which when using the type-unsafe equality comparison operator == evaluates to 0, as will any string and any number value >0<1.<br /><br />To avoid this hideous security hole developers should use the type-safe equality comparison operator with stcmp, e.g.:<br /><br />strcmp($str1, $str2) === 0Wes Masonhttp://1stvamp.org/noreply@blogger.comtag:blogger.com,1999:blog-4984553587728477254.post-44689735177545317772013-03-03T15:28:23.561-08:002013-03-03T15:28:23.561-08:00very very nice! I wonder if this still works if th...very very nice! I wonder if this still works if the strcmp is used like strcmp($password, $_POST["ps"]) === 0<br />with three equal signs (strict comparison in php). I'm kinda lazy to test it right now and I hope it does not work, but if it does, then PHP is full of shit.Anonymousnoreply@blogger.com