From 52e7d98586d5386ec334cbfaa9e0fb5f9deaa66a Mon Sep 17 00:00:00 2001 From: HEdingfield Date: Sat, 27 May 2017 11:58:32 -0700 Subject: [PATCH] Fixed typo to improve security The typo caused the user to be able to distinguish if the password was incorrect vs. if the username was incorrect, which is potentially a minor security hole. --- login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/login.php b/login.php index 1bdb76e..c4bd8ca 100644 --- a/login.php +++ b/login.php @@ -14,7 +14,7 @@ goback("Wrong username or password"); $realpassword = $r->hget("user:$userid","password"); if ($realpassword != $password) - goback("Wrong useranme or password"); + goback("Wrong username or password"); # Username / password OK, set the cookie and redirect to index.php $authsecret = $r->hget("user:$userid","auth");