I was trying to do the FOSS v1 source code review challenge, code is here. I have found a very interesting bug, but it might be more theoretical than practical.
Here is my methodology:
1) Reset the password for user memtash which causes memtash’s password to be set to 0 (look at the password = 0) in this snipit
$st = $this->db->prepare('UPDATE users SET `reset` = :reset, **password = 0** WHERE uid = :uid LIMIT 1');
2) During login put username as memtash and find a value that sha1() will output as 0 (or a long line of 0’s) to successfully login.
if ($row && $row->password == sha1($pass)) {
I just need to find a way to make the PHP function sha1() output only zeros, using either the correct input or perhaps making the function fail so it outputs false (which is 0).
It will result in a successful login because in PHP 0 == 00000000000000000000000000000000 evaluates to true because == is an equality operator which checks if they are both equal. Zero is equal to many zeros.
Even if this is not the correct solution, I think it is a good find?
