mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-04-10 01:51:02 -04:00
Code Issues Packages Projects Releases Wiki Activity

Prevent type juggling for password hash comparison (#3324)

Browse Source
This commit is contained in:
jekkos
2021-09-30 21:49:33 +02:00
committed by jekkos
parent 2f69841c95
commit f1672d9701
2 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
SECURITY.md
View File

@@ -17,7 +17,8 @@ receiving such patches depend on the CVSS v3.0 Rating:
| CVSS v3.0 | Supported Versions |
| --------- | -------------------------------------------------- |
| 7.3 | 3.5.5 |
| 7.3 | 3.3.5 |
| 9.8 | 3.3.6 |
## Reporting a Vulnerability

6
application/models/Employee.php
View File

@@ -327,12 +327,12 @@ class Employee extends Person
{
$query = $this->db->get_where('employees', array('username' => $username, 'deleted' => 0), 1);
if($query->num_rows() == 1)
if($query->num_rows() === 1)
{
$row = $query->row();
// compare passwords depending on the hash version
if($row->hash_version == 1 && $row->password == md5($password))
if($row->hash_version === '1' && $row->password === md5($password))
{
$this->db->where('person_id', $row->person_id);
$this->session->set_userdata('person_id', $row->person_id);
@@ -340,7 +340,7 @@ class Employee extends Person
return $this->db->update('employees', array('hash_version' => 2, 'password' => $password_hash));
}
elseif($row->hash_version == 2 && password_verify($password, $row->password))
elseif($row->hash_version === '2' && password_verify($password, $row->password))
{
$this->session->set_userdata('person_id', $row->person_id);