View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 3 person(s).
 286
IDProjectCategoryView StatusDate SubmittedLast Update
17322Bug reportsSecuritypublic2021-05-25 12:382022-02-28 12:58
ReporterDenisChenu Assigned Topstelling  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.25.20 
Summary17322: Need different time and count for lock out access for token VS admin user
Description

Since Brute-force attack with tokens to enter survey is possible : https://bugs.limesurvey.org/view.php?id=15239

We use same settings for lock out token and klock out admin.

But

  1. Way of give access is totally different : username+userpass VS random character
  2. Right after access is totally different : whole DB and data with admin, only a single user data with token
Steps To Reproduce

?

Additional Information

token : bot access : 1 seconds after 3 try is the best
admin : 10 minutes is really better

TagsNo tags attached.
Bug heat286
Complete LimeSurvey version number (& build)3.27.0
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

Relationship GraphDependency Graph
related to 17323 closedgalads Feature requests Captchas have no non-visual alternative 
related to 17695 closedgabrieljenik Bug reports Exceeding the number of maximum access code validation attempts 

Users monitoring this issue

tassoman

Activities

DenisChenu

DenisChenu

2021-05-25 12:38

developer   ~64532

I can fix it (freely), it's an easy needed fix
galads

galads

2021-06-18 10:31

reporter   ~64951

A fix for "Brute-force attack with tokens to enter survey" is already provided and there is a delay when the token is entered incorrectly several times.
Or maybe I misunderstand the fix you want to provide?
DenisChenu

DenisChenu

2021-06-18 10:55

developer   ~64952

We use same time for Admin user and token user. BUT : it's a totally different attack.

yes : there are a Brute force : but it use the same time and try than admin user.

Admin user brute force attack can use

  • "social attack" : birthday, childrens name
  • other powned password for same user
  • password rainbow table

Token user can only be automatic caracters : randomly chooisen

Else : the right give are really more dangerous

  • Admin user : All database of all user of all survey
  • token user : one user information on one survey

The 1st issue is to use the same system for a totally different concept. If you can not understand this : i can not explain more.
galads

galads

2021-06-22 16:07

reporter   ~64979

I understand this absolutely fine but this sounds like a feature request and not a bug. Please create a PR and I will take it up from there
DenisChenu

DenisChenu

2021-06-22 16:23

developer   ~64981

But : this issue was introduced in a https://github.com/LimeSurvey/LimeSurvey/blob/0b24642017090b0a16f867ab7c10c9d73f5629d7/docs/release_notes.txt#L214

in 3.X when new feature is forbidden … then ?

Can i fix it for 3.X or not ?
c_schmitz

c_schmitz

2021-07-12 11:56

administrator   ~65371

yes, you can.
tassoman

tassoman

2022-02-18 14:52

reporter   ~68325

I'm using 3.x version behind a reverse proxy and behind kubernetes.
The feature is blacklisting the proxy's address. If you're simply using $_SERVER['REMOTE_HOST'] that's not enough.
You should have care of the address $_SERVER['HTTP_X_FORWARDED_FOR'] also.
My blocked IP is the kubernetes service.
DenisChenu

DenisChenu

2022-02-18 17:16

developer   ~68327

https://github.com/LimeSurvey/LimeSurvey/blob/1e90f0c83afdc803d57bd24d6f51c70683459869/application/helpers/common_helper.php#L4631
tassoman

tassoman

2022-02-18 17:23

reporter   ~68329

Indeed, Denis.

HTTP_X_FORWARDED_FOR can be a comma separated list of IPv4 addresses.
The least forwarded should be on the left.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For

Maybe I can post a patch on this. Do you accept github Pull requests?

More, on this, I would say the IP address can be easily faked with crafted http requests from an attacker. I wouldn't pay so much attention on this.
pstelling

pstelling

2022-02-25 11:50

developer   ~68409

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=33284
LimeBot

LimeBot

2022-02-28 12:58

administrator   ~68432

Fixed in Release 5.3.0+220228

Related Changesets

LimeSurvey: master 8fdbfdab

2022-02-25 12:42

pstelling

Committer: GitHub


Details Diff		 Fixed issue 17322: [security] Separate settings for administration & participants for handling failed login attempts (#2251)

Fixed issue 17322: [security] Separate settings for administration & participants for handling failed login attempts		 Affected Issues
17322
mod - application/config/config-defaults.php Diff File
mod - application/config/version.php Diff File
mod - application/controllers/admin/Authentication.php Diff File
mod - application/controllers/admin/GlobalSettings.php Diff File
mod - application/controllers/survey/index.php Diff File
mod - application/core/LSUserIdentity.php Diff File
mod - application/helpers/frontend_helper.php Diff File
add - application/helpers/update/updates/Update_481.php Diff File
mod - application/models/FailedLoginAttempt.php Diff File
mod - application/views/admin/globalsettings/_security.php Diff File
mod - installer/create-database.php Diff File

Issue History

Date Modified Username Field Change
2021-05-25 12:38 DenisChenu New Issue
2021-05-25 12:38 DenisChenu Note Added: 64532
2021-05-25 13:50 DenisChenu Relationship added related to 17323
2021-06-18 10:31 galads Note Added: 64951
2021-06-18 10:32 galads Assigned To => galads
2021-06-18 10:32 galads Status new => feedback
2021-06-18 10:55 DenisChenu Note Added: 64952
2021-06-18 10:55 DenisChenu Status feedback => assigned
2021-06-22 16:07 galads Note Added: 64979
2021-06-22 16:08 galads Assigned To galads => DenisChenu
2021-06-22 16:08 galads Status assigned => feedback
2021-06-22 16:08 galads Status feedback => assigned
2021-06-22 16:23 DenisChenu Note Added: 64981
2021-07-12 11:56 c_schmitz Note Added: 65371
2021-07-12 12:41 galads Status assigned => confirmed
2021-07-12 12:41 galads Status confirmed => assigned
2021-11-04 10:45 DenisChenu Relationship added related to 17695
2021-11-10 07:59 c_schmitz Bug heat 266 => 272
2022-02-17 11:20 DenisChenu Assigned To DenisChenu => pstelling
2022-02-18 14:52 tassoman Note Added: 68325
2022-02-18 14:52 tassoman Bug heat 272 => 274
2022-02-18 14:55 tassoman Issue Monitored: tassoman
2022-02-18 14:55 tassoman Bug heat 274 => 276
2022-02-18 17:14 DenisChenu Bug heat 276 => 282
2022-02-18 17:16 DenisChenu Note Added: 68327
2022-02-18 17:23 tassoman Note Added: 68329
2022-02-25 11:50 pstelling Changeset attached => LimeSurvey master 8fdbfdab
2022-02-25 11:50 pstelling Note Added: 68409
2022-02-25 11:50 pstelling Bug heat 282 => 284
2022-02-25 11:50 pstelling Resolution open => fixed
2022-02-28 12:58 LimeBot Note Added: 68432
2022-02-28 12:58 LimeBot Status assigned => closed
2022-02-28 12:58 LimeBot Bug heat 284 => 286