Spidera & Ripli
Spidera
Stumbled on an old legacy server that still uses a broken auth loop. I suspect there's a hidden backdoor. Want to take a look?
Ripli
Sure, just send me the code. I'll run a regex sweep on the auth loop to find any non‑standard redirects or hardcoded credentials, then we can see if there's a hidden backdoor path. If it’s a logic flaw, I’ll flag the exact line and give you a clean patch.
Spidera
Here’s a minimal PHP example that mimics the vulnerable auth loop.
```php
<?php
// LegacyAuth.php
$valid_user = 'admin';
$valid_pass = 'password123';
session_start();
if (!isset($_SESSION['authenticated'])) {
// --- Authentication step ------------------------------------------------
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['user'] ?? '';
$pass = $_POST['pass'] ?? '';
// Straightforward credential check
if ($user === $valid_user && $pass === $valid_pass) {
$_SESSION['authenticated'] = true;
header('Location: dashboard.php');
exit;
} else {
// Redirect back to login with error flag
header('Location: login.php?error=1');
exit;
}
}
// If GET, just show the login form
?>
<form method="post" action="LegacyAuth.php">
<label>Username: <input type="text" name="user"></label><br>
<label>Password: <input type="password" name="pass"></label><br>
<input type="submit" value="Login">
</form>
<?php
exit;
}
// --- Protected content ---------------------------------------------------------
echo "Welcome, you are authenticated!";
# Hidden backdoor – toggle with a magic cookie
# if (isset($_COOKIE['backdoor']) && $_COOKIE['backdoor'] === 'open') {
# echo "<p>Backdoor active. You can do whatever you like.</p>";
# }
?>
```
The issue is that the redirect logic relies on a simple query‑string flag, so any attacker who can manipulate the `error` parameter can force the page to reload and keep trying credentials in a loop. The backdoor is buried in a commented block that could be uncommented by an insider or a compromised script. Let me know where you want to patch first.
Ripli
Patch the login loop first:
1. Add a CSRF token to the form and verify it on POST.
2. Drop the error flag from the redirect; just show an error message on the same page.
3. Use `header('Location: dashboard.php')` only after `session_regenerate_id()` to prevent session fixation.
4. Uncomment the backdoor block? No—comment it out permanently and add a file‑level constant that, if defined, triggers a log‑only alert instead of giving access.
That fixes the loop and removes the hidden entry point.
Spidera
<?php
// LegacyAuth.php
$valid_user = 'admin';
$valid_pass = 'password123';
define('LOG_BACKDOOR', false); // set true to only log attempts, never grant access
session_start();
// CSRF helper
function generate_csrf() {
if (empty($_SESSION['csrf'])) {
$_SESSION['csrf'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf'];
}
function check_csrf($token) {
return hash_equals($_SESSION['csrf'] ?? '', $token);
}
if (!isset($_SESSION['authenticated'])) {
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['user'] ?? '';
$pass = $_POST['pass'] ?? '';
$csrf = $_POST['csrf'] ?? '';
// CSRF check
if (!check_csrf($csrf)) {
$error = 'Invalid CSRF token.';
} elseif ($user === $valid_user && $pass === $valid_pass) {
// Prevent session fixation
session_regenerate_id(true);
$_SESSION['authenticated'] = true;
header('Location: dashboard.php');
exit;
} else {
$error = 'Invalid credentials.';
}
}
// Render form (stay on same page on error)
?>
<form method="post" action="LegacyAuth.php">
<label>Username: <input type="text" name="user"></label><br>
<label>Password: <input type="password" name="pass"></label><br>
<input type="hidden" name="csrf" value="<?= generate_csrf(); ?>">
<input type="submit" value="Login">
</form>
<?php
if (!empty($error)) echo '<p style="color:red;">'.$error.'</p>';
exit;
}
// Protected content
echo "Welcome, you are authenticated!";
# Hidden backdoor – permanently disabled
# if (isset($_COOKIE['backdoor']) && $_COOKIE['backdoor'] === 'open') {
# if (LOG_BACKDOOR) {
# error_log('Backdoor attempted by '.$_SERVER['REMOTE_ADDR']);
# }
# // no access granted
# }
?>
Ripli
Looks solid. Just one tweak: log the CSRF failures separately so you can see brute‑force attempts. And maybe rotate the CSRF key on every successful login to keep the token fresh. Otherwise, you're good to go.
Spidera
<?php
// LegacyAuth.php
$valid_user = 'admin';
$valid_pass = 'password123';
define('LOG_BACKDOOR', false); // set true to only log attempts, never grant access
session_start();
// CSRF helper
function generate_csrf() {
if (empty($_SESSION['csrf'])) {
$_SESSION['csrf'] = bin2hex(random_bytes(32));
}
return $_SESSION['csrf'];
}
function check_csrf($token) {
return hash_equals($_SESSION['csrf'] ?? '', $token);
}
if (!isset($_SESSION['authenticated'])) {
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$user = $_POST['user'] ?? '';
$pass = $_POST['pass'] ?? '';
$csrf = $_POST['csrf'] ?? '';
// CSRF check
if (!check_csrf($csrf)) {
$error = 'Invalid CSRF token.';
error_log('CSRF failure from '.$_SERVER['REMOTE_ADDR'].' at '.date('Y-m-d H:i:s'));
} elseif ($user === $valid_user && $pass === $valid_pass) {
// Prevent session fixation
session_regenerate_id(true);
$_SESSION['authenticated'] = true;
// Rotate CSRF key after successful login
unset($_SESSION['csrf']);
header('Location: dashboard.php');
exit;
} else {
$error = 'Invalid credentials.';
}
}
// Render form (stay on same page on error)
?>
<form method="post" action="LegacyAuth.php">
<label>Username: <input type="text" name="user"></label><br>
<label>Password: <input type="password" name="pass"></label><br>
<input type="hidden" name="csrf" value="<?= generate_csrf(); ?>">
<input type="submit" value="Login">
</form>
<?php
if (!empty($error)) echo '<p style="color:red;">'.$error.'</p>';
exit;
}
// Protected content
echo "Welcome, you are authenticated!";
# Hidden backdoor – permanently disabled
# if (isset($_COOKIE['backdoor']) && $_COOKIE['backdoor'] === 'open') {
# if (LOG_BACKDOOR) {
# error_log('Backdoor attempted by '.$_SERVER['REMOTE_ADDR']);
# }
# // no access granted
# }
?>