Use of Wrong Operator in String Comparison in hestiacp/hestiacpValid
$_SESSION["token"] is a csrf token which is a md5 hash generated based on system time.
It has been discovered that
$_SESSION["token"] compares with
$_GET["token"] using comparison operator
!= in file
index.php. This might cause unexpected behavior due to type juggling.
It is possible to bypass the CSRF token by using magic hash attack, and leveraged to perform CSRF attack.