Headline
CVE-2021-4259: Fix magic hash attack · erikdubbelboer/phpRedisAdmin@31aa766
A vulnerability was found in phpRedisAdmin up to 1.17.3. It has been classified as problematic. This affects the function authHttpDigest of the file includes/login.inc.php. The manipulation of the argument response leads to use of wrong operator in string comparison. The name of the patch is 31aa7661e6db6f4dffbf9a635817832a0a11c7d9. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216267.
@@ -56,7 +56,7 @@ function authHttpDigest()
$response = md5($password.’:’.$data[‘nonce’].’:’.$data[‘nc’].’:’.$data[‘cnonce’].’:’.$data[‘qop’].’:’.md5($_SERVER[‘REQUEST_METHOD’].’:’.$data[‘uri’]));
if ($data[‘response’] != $response) {
if ($data[‘response’] !== $response) {
header(‘HTTP/1.1 401 Unauthorized’);
header(‘WWW-Authenticate: Digest realm="’.$realm.’",qop="auth",nonce="’.uniqid().’",opaque="’.$opaque.’"’);
die(‘Invalid username and/or password combination.’);