DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Modified HTTP authentication functionality

Browse source
This commit is contained in:
Dorian Niemiec 2024-03-17 10:00:01 +01:00
parent 7857e0e2fa
commit 184060fb79
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
svr.js
View file

@ -4551,8 +4551,7 @@ if (!cluster.isPrimary) {
function checkIfPasswordMatches(list, password, callback, _i) { function checkIfPasswordMatches(list, password, callback, _i) {
if (!_i) _i = 0; if (!_i) _i = 0;
var cb = function (hash) { var cb = function (hash) {
var matches = (hash == list[_i].pass); if (hash == list[_i].pass) {
if (matches) {
callback(true); callback(true);
} else if (_i >= list.length - 1) { } else if (_i >= list.length - 1) {
callback(false); callback(false);
@ -4653,10 +4652,11 @@ if (!cluster.isPrimary) {
}); });
} }
if (usernameMatch.length == 0) { if (usernameMatch.length == 0) {
// Pushing false user match to prevent time-based user enumeration
usernameMatch.push({ usernameMatch.push({
name: username, name: username,
pass: "FAKEPASS", pass: "SVRJSAWebServerRunningOnNodeJS",
salt: "FAKESALT" salt: "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0"
}); // Fake credentials }); // Fake credentials
} }
checkIfPasswordMatches(usernameMatch, password, function (authorized) { checkIfPasswordMatches(usernameMatch, password, function (authorized) {