PHP Hash Comparison Weakness A Threat To Websites, Researcher Says

Flaw could allow attackers to compromise user accounts, WhiteHat Securitys Robert Hansen -- aka RSnake -- says in new finding on Magic Hash vulnerability.

A weakness in the manner in which PHP handles hashed strings in certain situations gives attackers an opportunity to try and compromise authentication systems, passwords, and other functions involving hash comparisons in PHP, a researcher from WhiteHat Security says.
Robert Hansen, vice president of WhiteHat, describes the issue as one that affects any website that uses two specific types of operators for comparing hashes in PHP.
The issue mostly affects authentication, but it could also effect forgot password flows, nonces, binary checking, cookies, and passwords, among other things, Hansen, aka RSnake, told Dark Reading. It totally depends on the website, and how its constructed.
The problem exists in the manner in which PHP handles hashed strings when either the double equal (==) or != operators are used to compare them. When either of these two operators is used for comparing hashes, PHP interprets any hashed value beginning with ‘0e’ as having the value 0.
So if two different passwords are hashed and both their hashed values begin with ‘0e’ followed by numerals, PHP will interpret both as having the value 0. Even though the hash values for both passwords are completely different, PHP would treat them both as the number zero if both begin with 0e and when either ‘==’ or ‘!=’ are used.
“Think of 0e... as being the scientific notation for 0 to the power of some value and that is always 0, Hansen noted in a blog post Friday. “PHP interprets the string as an Integer.”
The implications are huge because it gives attackers a way to try and compromise user accounts by entering a string that when hashed gets equated to zero by PHP. If a password in the database is represented the same way, the attacker will get access to the account, Hansen said.
The problem itself has been known for at least a year, Hansen said. But what hasn’t been available are examples of hash types that when hashed begin with the ‘0e’ format that ends up getting equated to zero, he said.
In a blog, Hansen listed several magic numbers that he found could be used as passwords, which when hashed, end up being treated as 0 by PHP.
When such hashes are compared against the hashes of actual password, values that are also treated as 0 by PHP they end up getting evaluated as being equivalent, or true. In such cases attackers will be able to log into the account without the valid password, he said.
To find the strings, Hansen iterated over 1 billion hashed integers of different hash types like MD5 and SHA1. Though the technique was inefficient it was reasonably effective at finding strings that triggered the weakness for most hash algorithms with a length of 32 characters or less, Hansen said
in his blog
.
Hansen said he estimated the chances of a 32-character hash triggering the issue was somewhere in the range of 1 in 200 million. While that might seem like an extremely low probability, it is often enough for attackers to want to try and trigger the flaw especially on a high volume website or one with a lot of credentials.
Addressing the problem is very simple, he said. Websites using PHP should analyze their code for hash comparisons in PHP using ‘==’ or ‘!= and change them to ‘===’ or ‘!==’ respectively, he said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
PHP Hash Comparison Weakness A Threat To Websites, Researcher Says