Auth: Authentication Token Bypass

This commit addresses a vulnerability on how osTicket authenticates auth-tokens used for auto-login to view ticket status. The validation process failed to handle unexpected type handling issue making it possible for users to exploit type juggling and authenticate using only email and ticket number.

Auth: Authentication Token Bypass
This commit addresses a vulnerability on how osTicket authenticates auth-tokens used for auto-login to view ticket status. The validation process failed to handle unexpected type handling issue making it possible for users to exploit type juggling and authenticate using only email and ticket number.
a9834d88 · Peter Rotich · 6e039ab7 · a9834d88
Commit a9834d88 authored 5 years ago by Peter Rotich
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -1063,7 +1063,8 @@ class AuthTokenAuthentication extends UserAuthenticationBackend {
            if (($ticket = Ticket::lookupByNumber($_GET['t'], $_GET['e']))
                    // Using old ticket auth code algo - hardcoded here because it
                    // will be removed in ticket class in the upcoming rewrite
-                    && !strcasecmp($_GET['a'], md5($ticket->getId() .  strtolower($_GET['e']) . SECRET_SALT))
+                    && strcasecmp((string) $_GET['a'], md5($ticket->getId()
+                            .  strtolower($_GET['e']) . SECRET_SALT)) === 0
                    && ($owner = $ticket->getOwner()))
                $user = new ClientSession($owner);
        }