A recent issue has come (back) to light in the security community around how PHP compares hashes. In this post to the Security Affairs site they talk about the problem of hash comparison and how to prevent the issue in your own PHP code.
Because of a security flaw according to which PHP tackles ‘hashed’ strings in specific situation attackers are given the opportunity to try and breach passwords, authentication systems and other functions being run on PHP hash comparisons, WhiteHat security researcher says. VP of WhiteHat, Robert Hansen, declared that any website is vulnerable to the flaw – the only thing is, two specific kinds of PHP hashes the vulnerable site uses for comparing ‘hashes’ in PHP language.
The problem comes with how PHP handles its typing behind the scenes mostly. When a string starts with “0e..” PHP interprets it as scientific notation and sees it as a value equal to zero. As a result, two strings, even if they don’t match, that start with “0e…” will evaluate as equal. Fortunately, the answer is relatively simple (though could be time consuming to fix): change == (double equals) to === (triple equals). This prevents PHP from trying to do the type juggling and compare them on the types they are when presented (string to string in the case of hashes).