You are a developer. You put a lot of effort into making sure that your code is safe. You never trust user input, you use the best security-related development libraries. And then you make one small typo and everything is ruined.
This is not fiction. Not long ago, a pentester known as Daniel C found such a vulnerability in the PHP code of an older version of Xceedium Xsuite. This vulnerability has been patched quite some time ago but it proves how little is needed for a serious security issue to appear.
In this case, the developer typed return flase instead of return false in PHP code. Due to the forgiving nature of PHP, return flase returns the string flase, which has a logical value of true. However, PHP is not the only language where such a situation may happen.
The function where the typo appeared was used to check a shared key provided via the $get variable:
function checkSharedKey($shared_key) {
if (strlen($shared_key) != 32) {
return false;
}
if (trim($shared_key) == "") {
return flase;
}
To bypass the check, Daniel needed to provide a key that had a length of 32 bytes and that gave an empty string as a result of the trim() function. He was able to do it by supplying for example 32 spaces or 32 tabs.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Cybersecurity Writer
