From 5f68c1b634abec2d5a4f83156bfd223d3a792f77 Mon Sep 17 00:00:00 2001
From: Serghey Rodin <skid@vestacp.com>
Date: Wed, 17 Oct 2018 23:28:37 +0300
Subject: [PATCH] Timing attack fix from security experts
 https://arcturussecurity.com

---
 web/reset/index.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/reset/index.php b/web/reset/index.php
index abde3c14..0d90d15d 100644
--- a/web/reset/index.php
+++ b/web/reset/index.php
@@ -48,7 +48,7 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
         if ( $return_var == 0 ) {
             $data = json_decode(implode('', $output), true);
             $rkey = $data[$user]['RKEY'];
-            if ($rkey == $_POST['code']) {
+            if (hash_equals($rkey, $POST[‘code’])) {
                 $v_password = tempnam("/tmp","vst");
                 $fp = fopen($v_password, "w");
                 fwrite($fp, $_POST['password']."\n");