From 41d33d9e676dd17f9d80c255abaf477a46b75f34 Mon Sep 17 00:00:00 2001
From: phli <lipenghui315@gmail.com>
Date: Thu, 21 May 2020 19:51:55 +0800
Subject: [PATCH] fix magic hash authentication bypass

---
 admin/kernel/api/login.class.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/admin/kernel/api/login.class.php b/admin/kernel/api/login.class.php
index b204e91f..639811b4 100644
--- a/admin/kernel/api/login.class.php
+++ b/admin/kernel/api/login.class.php
@@ -75,13 +75,13 @@ public function verify_login($args)
 		if(!empty($args['username'])&&!empty($args['password']))
 		{
 			// Check username
-			if($args['username']==$_USER[0]['username'])
+			if($args['username']===$_USER[0]['username'])
 			{
 				// Generate the password hash
 				$hash = sha1($args['password'].$_USER[0]['salt']);
 
 				// Check password
-				if($hash==$_USER[0]['password'])
+				if($hash===$_USER[0]['password'])
 				{
 					$this->db_users->set(array('username'=>$args['username'], 'session_fail_count'=>0, 'session_date'=>time()));
 
@@ -264,4 +264,4 @@ private function get_key()
 
 } // END class LOGIN
 
-?>
\ No newline at end of file
+?>