Fix magic hash attack

erikdubbelboer · Oct 5, 2021 · 31aa766 · 31aa766
1 parent 59c90d7
commit 31aa766
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/includes/login.inc.php b/includes/login.inc.php
@@ -56,7 +56,7 @@ function authHttpDigest()
 
     $response = md5($password.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']));
 
-    if ($data['response'] != $response) {
+    if ($data['response'] !== $response) {
       header('HTTP/1.1 401 Unauthorized');
       header('WWW-Authenticate: Digest realm="'.$realm.'",qop="auth",nonce="'.uniqid().'",opaque="'.$opaque.'"');
       die('Invalid username and/or password combination.');