NetAlertX Authentication Bypass Vulnerability via SHA-256 Magic Hashes

An authentication bypass vulnerability has been identified in NetAlertX versions prior to 25.6.7. The issue arises from loose password comparison in PHP, allowing users to bypass authentication by using specially crafted SHA-256 magic hash values. In vulnerable versions, the password comparison is performed using the loose equality operator, which can misinterpret certain strings as equal. This vulnerability particularly affects users with passwords that generate magic hashes evaluating to true in a loose comparison, posing a risk of unauthorized access to services relying on this authentication logic.

Impact

Exploitation of this vulnerability allows for unauthorized access, bypassing the application's password verification process.

Reproduction

To reproduce this vulnerability, use a password that generates a SHA-256 magic hash evaluating to true in a loose comparison, such as those beginning with '0e' followed by digits. Attempt to log in with this password, which will bypass authentication due to the loose comparison. A list of such magic hashes can be found in the GitHub repository 'spaze/hashes'.

Remediation

Users are advised to update to NetAlertX version 25.6.7, where this vulnerability has been fixed.