admin.php: fix authentication bypass vulnerability

author scumjr <scumjr@users.noreply.gitlab.com>

Mon, 21 Mar 2016 17:54:59 +0000 (18:54 +0100)

committer scumjr <scumjr@users.noreply.gitlab.com>

Mon, 21 Mar 2016 17:56:01 +0000 (18:56 +0100)
author scumjr <scumjr@users.noreply.gitlab.com>
Mon, 21 Mar 2016 17:54:59 +0000 (18:54 +0100)
committer scumjr <scumjr@users.noreply.gitlab.com>
Mon, 21 Mar 2016 17:56:01 +0000 (18:56 +0100)
diff --git a/admin.php b/admin.php

index 25b16ed94e7b7241a5f2d3fad77fc80e9d988ea7..a0ae04b6d3bca449b9a5d11f62571ea9def1da8f 100644 (file)
--- a/admin.php
+++ b/admin.php
@@ -53,7 +53,7 @@ if (isset ($_POST['action']) && (strcmp ($_POST['action'], 'logout') == 0))
  /* Check classic admin password authentification. */
  if (isset ($_POST['admin_password']) && empty($cfg['admin_http_auth_user']))
  {
-    if (strcmp ($cfg['admin_password'], $_POST['admin_password']) == 0)
+    if ($cfg['admin_password'] === $_POST['admin_password'])
          $_SESSION['admin_auth'] = true;
      else
      {
author	scumjr <scumjr@users.noreply.gitlab.com>
	Mon, 21 Mar 2016 17:54:59 +0000 (18:54 +0100)
committer	scumjr <scumjr@users.noreply.gitlab.com>
	Mon, 21 Mar 2016 17:56:01 +0000 (18:56 +0100)