nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity

fix(security): prevent username enumeration via timing attack
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source 
Perform a dummy LDAP bind when SearchDN fails so that the response time
is indistinguishable between unknown users and wrong passwords.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
nemunaire 2026-03-08 12:42:41 +07:00
commit 12fd2f2e70
2 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
change.go
View file

@ -81,6 +81,8 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.") renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil { } else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
log.Println(err) log.Println(err)
// User not found: perform a dummy bind to prevent username enumeration via timing.
conn.Bind("cn=dummy,"+myLDAP.BaseDN, r.PostFormValue("password"))
renderError(http.StatusUnauthorized, "Invalid login or password.") renderError(http.StatusUnauthorized, "Invalid login or password.")
} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil { } else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
log.Println(err) log.Println(err)

2
login.go
View file

@ -88,6 +88,8 @@ func login(login string, password string) ([]*ldap.EntryAttribute, error) {
if err != nil { if err != nil {
dn, err = conn.SearchDN(login, false) dn, err = conn.SearchDN(login, false)
if err != nil { if err != nil {
// User not found: perform a dummy bind to prevent username enumeration via timing.
conn.Bind("cn=dummy,"+myLDAP.BaseDN, password)
return nil, err return nil, err
} }
} }