1. 17

  2. 12
    if (trim($shared_key) == "") {
        return flase;               

    Due to a typographic error, when a shared key is provided that is 32 characters in length, but empty after a call to trim(), the function will return “flase”. This will return the literal string “flase” instead of the Boolean value FALSE. Fortunately for us, the string “flase” has a Boolean value of TRUE, thus the key check will be successful and we can bypass the authorisation check.

    Good grief.

      1. 3

        Especially when the second result is in a file called Wallet.php 🤦‍♀️

      2. 3

        When I saw that I was properly surprised that PHP would treat that as a string and not a unknown variable. I haven’t written PHP code in almost 10 years so I must have forgotten this quirk but that does seem like very dangerous language behavior.

        Is this still the case in currently supported iterations of the language, and if not when was it fixed?

        1. 4

          and not a unknown variable

          A variable would be prefixed with $, so it can’t be that; instead it’s a bareword, in a Perl-ish sense. Originally intended so you could do $_GET[xyz] and have it mean $_GET["xyz"]. They were eventually deprecated.

          1. 3

            Oh yeah I forgot that variables are prefixed with $-sigils in PHP. It’s great that they deprecated it though, I know for a fact that I’ve countless times accidentally written “ture” (a some what common name in my country) instead of “true”, which luckily is a easily spotted syntax error in most languages.

      3. 4

        That last sentence!

        Finally I wish I could say Xceedium (Now CA Technologies) were a treat to work with during the disclosure process however that would be a lie.

        Almost spit my drink on my screen.

        1. 4

          Good article and another reason to be super wary of type coersion, if you absolutely have to use PHP stick with your triple equals and consistent quoting at all times. I will be a bit picky though and state that this is not gaining “Domain Admin” in any way, stealing authentication tokens from a backdoored login page isn’t a guarenteed domain admin attack path and comes off as hype to get attention from the “Red Team” types in the field (which is a whole other rant).