github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-19 13:01:51 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Timing attack fix from security experts https://arcturussecurity.com

Browse source
This commit is contained in:
Serghey Rodin 2018-10-17 23:28:37 +03:00
commit 5f68c1b634
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
web/reset/index.php
View file

@ -48,7 +48,7 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
if ( $return_var == 0 ) { if ( $return_var == 0 ) {
$data = json_decode(implode('', $output), true); $data = json_decode(implode('', $output), true);
$rkey = $data[$user]['RKEY']; $rkey = $data[$user]['RKEY'];
if ($rkey == $_POST['code']) { if (hash_equals($rkey, $POST[code])) {
$v_password = tempnam("/tmp","vst"); $v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w"); $fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n"); fwrite($fp, $_POST['password']."\n");