From 31aa7661e6db6f4dffbf9a635817832a0a11c7d9 Mon Sep 17 00:00:00 2001 From: Erik Dubbelboer Date: Tue, 5 Oct 2021 18:45:52 +0000 Subject: [PATCH] Fix magic hash attack --- includes/login.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/login.inc.php b/includes/login.inc.php index 75ed28d..8cfb26d 100644 --- a/includes/login.inc.php +++ b/includes/login.inc.php @@ -56,7 +56,7 @@ function authHttpDigest() $response = md5($password.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.md5($_SERVER['REQUEST_METHOD'].':'.$data['uri'])); - if ($data['response'] != $response) { + if ($data['response'] !== $response) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.$opaque.'"'); die('Invalid username and/or password combination.');