Skip to content

Commit

Permalink
Timing attack fix from security experts https://arcturussecurity.com
Browse files Browse the repository at this point in the history
  • Loading branch information
Serghey Rodin committed Oct 17, 2018
1 parent 67a0e8d commit 5f68c1b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion web/reset/index.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
if ( $return_var == 0 ) {
$data = json_decode(implode('', $output), true);
$rkey = $data[$user]['RKEY'];
if ($rkey == $_POST['code']) {
if (hash_equals($rkey, $POST[‘code’])) {

This comment has been minimized.

Sign in to view

Copy link
@sentabi

sentabi Oct 18, 2018

missing _ on $_POST. Also you're using instead of '
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
Expand Down

0 comments on commit 5f68c1b

Please sign in to comment.