Bypass authentication through loose comparison (==) #462
Description
Hi, I'd like to report a potential authentication bypass problem using loose comparison.
In monstra/admin/index.php:38, the password checking is currently using loose comparison (==) instead of strict. However, the password in monstra is computed usingmd5 functions in monstra/engine/Security.php:98, which suffers from magic hash problem. If the hash value starts from 0e, which will be treated as 0 during the comparison. An attacker can bypass the authentication using a crafted password with similar hash value.
This problem also appears in other parts of monstra. For example, the plugin box has a similar issue.
This can be easily fixed via strict comparison(===).
Reference to magic hash