CVE-ID

CVE-2018-10362

• CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
An issue was discovered in phpLiteAdmin 1.9.5 through 1.9.7.1. Due to loose comparison with '==' instead of '===' in classes/Authorization.php for the user-provided login password, it is possible to login with a simpler password if the password has the form of a power in scientific notation (like '2e2' for '200' or '0e1234' for '0'). This is possible because, in the loose comparison case, PHP interprets the string as a number in scientific notation, and thus converts it to a number. After that, the comparison with '==' casts the user input (e.g., the string '200' or '0') to a number, too. Hence the attacker can login with just a '0' or a simple number he has to brute force. Strong comparison with '===' prevents the cast into numbers.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
Assigning CNA
MITRE Corporation
Date Record Created
20180425 Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20180425)
Votes (Legacy)
Comments (Legacy)
Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.