Use of Wrong Operator in String Comparison in opensourcepos/opensourcepos


Reported on

Sep 30th 2021


The use == and != of might cause type juggling at the affected code if $row->hash_version == 1.

Proof of Concept

If the md5 sum of users password starts with 0e, then any input with md5 sum starting with 0e will result in true at statement $row->password == md5($password)


This vulnerability is capable of authentication bypass via magic hash attack

We have contacted a member of the opensourcepos team and are waiting to hear back 2 years ago
jekkos validated this vulnerability 2 years ago
Viky has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


This vulnerability only affects users that are on an old password hashing scheme, which was replaced a couple of years ago. So basically it won't affect new installations.

jekkos marked this as fixed with commit f1672d 2 years ago
jekkos has been awarded the fix bounty
This vulnerability will not receive a CVE
Employee.php#L335 has been validated
to join this conversation