You can log in with either the correct password, or the password 'IndictClapper4Perjury' (sans quotes).
Because password_verify()
is defined in the namespace Framework
, if the call to password_verify() (inside of the context of the "Framework" namespace) is not preceded by a backslash, PHP will by default look in the current namespace then check the global namespace. Silently.
i.e. it will attempt in this order
- \Framework\password_verify()
- \password_verfiy()
If you comment out the require_once "login.php"; line, you can still log in with the proper password.
Patch for index.php:
- if (password_verify('IndictClapper4Perjury', $hash)) {
+ if (\password_verify('IndictClapper4Perjury', $hash)) {
It's a very easy mistake to miss, unless the code auditor is intimately familiar with how PHP implements namespaces.
https://underhandedcrypto.com/rules/