Compare stored hashes for admin and download password using hash_equals()

author Patrick Canterino <patrick@patrick-canterino.de>

Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)

committer Patrick Canterino <patrick@patrick-canterino.de>

Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)
author Patrick Canterino <patrick@patrick-canterino.de>
Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)
committer Patrick Canterino <patrick@patrick-canterino.de>
Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)
diff --git a/admin.php b/admin.php

index f8270a28d3bef505f8888b1de17483d8cf780f1c..75cc38d66eb09100e3cdcd067bef00c0f98f7d6e 100644 (file)
--- a/admin.php
+++ b/admin.php
@@ -73,7 +73,7 @@ elseif (true === jirafeau_challenge_admin_ip($cfg, get_ip_address($cfg))) {
          }
          /* Test web password authentication. */
          elseif (!empty($cfg['admin_password']) && isset($_POST['admin_password'])) {
-            if ($cfg['admin_password'] === hash('sha256', $_POST['admin_password'])) {
+            if (hash_equals($cfg['admin_password'], hash('sha256', $_POST['admin_password']))) {
                  jirafeau_admin_session_start();
              } else {
                  require(JIRAFEAU_ROOT . 'lib/template/header.php');
diff --git a/f.php b/f.php

index f523f728a2e57f0dfc75498a40315283033d0d8e..a93ec981949aed82ac2173f64918432119bd44fb 100644 (file)
--- a/f.php
+++ b/f.php
@@ -171,7 +171,7 @@ if (!empty($link['key'])) {
          require(JIRAFEAU_ROOT.'lib/template/footer.php');
          exit;
      } else {
-        if ($link['key'] == md5($_POST['key'])) {
+        if (hash_equals($link['key'], md5($_POST['key']))) {
              $password_challenged = true;
          } else {
              sleep(2);
author	Patrick Canterino <patrick@patrick-canterino.de>
	Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)
committer	Patrick Canterino <patrick@patrick-canterino.de>
	Mon, 16 Jun 2025 10:13:44 +0000 (12:13 +0200)