Fix bug where a password could get changed without providing the old password

The password plugin uses loose comparison, leading to a type juggling vulnerability that
allows password changes without knowing the old password in specific cases.

Reported by flydragon777

Author: alecpl

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Security: Fix pre-auth arbitrary file write via unsafe deserialization in redis/memcache session handler
+- Security: Fix bug where a password could get changed without providing the old password
 
 ## Release 1.5.13
 

plugins/password/password.php

@@ -333,10 +333,10 @@ private function _compare($curpwd, $newpwd, $type)
         else {
             switch ($type) {
             case PASSWORD_COMPARE_CURRENT:
-                $result = $curpwd != $newpwd ? $this->gettext('passwordincorrect') : null;
+                $result = $curpwd !== $newpwd ? $this->gettext('passwordincorrect') : null;
                 break;
             case PASSWORD_COMPARE_NEW:
-                $result = $curpwd == $newpwd ? $this->gettext('samepasswd') : null;
+                $result = $curpwd === $newpwd ? $this->gettext('samepasswd') : null;
                 break;
             default:
                 $result = $this->gettext('internalerror');