19492: Different minimum password requirements inside and outside of LimeSurvey

This bug affects 2 person(s).

258

ID	Project	Category	View Status	Date Submitted	Last Update

19492	Bug reports	Security	public	2024-03-21 13:25	2024-03-21 15:40

Reporter	LDBV	Assigned To
Priority	none	Severity	minor
Status	new	Resolution	open
Product Version	6.4.x

Summary	19492: Different minimum password requirements inside and outside of LimeSurvey
Description	Greetings, we had a Pen-Test for our LimeSurvey V6 Server. The testers have found several critical security problems (we open different bug report tickets). When you have forgotten your password and ask LimeSurvey for an new password, you get an mail with a link to change your password. This password change link has different minimal password requirements (min 8 characters, min.1 number, min. 1 capital letter) compared to the password change function inside of LimeSurvey (our stricter settings are min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character). Dr. Minke (Survey-Consulting) told us, that there is no way to change the settings (min 8 characters, min.1 number, min. 1 capital letter) of the "external" password change screen. The "external" password change screen should a) preferably use the same settings as the "internal" password change screen (which we admins can change) (prefered) or b) otherwise enable the admins to change the minimal password settings of the "external" password change screen. Thank you.
Steps To Reproduce	In the LogIn screen you click on "Forgot password?". The "external" password change screen opens and only wants the password to have min 8 characters, min.1 number, min. 1 capital letter. Our stricter specified minimum password settings are ignored (min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character). The "internal" password change screen of LimeSurvey V6 (username - account - change password) correctly uses our stricter specified minimum password settings. Both password change screens should use the same admin user specified password settings.
Tags	No tags attached.

Bug heat	258
Complete LimeSurvey version number (& build)	both 6.4.6+240212 and 6.5.0+240319
I will donate to the project if issue is resolved	No
Browser	Regardless of the browser
Database type & version	MySQL 8.0.36
Server OS (if known)	SLES 15.5
Webserver software & version (if known)	Apache 2.4.51
PHP Version	PHP 8.0.30

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2024-03-21 13:25	LDBV	New Issue
2024-03-21 15:40	guest	Bug heat	250 => 256
2024-03-21 15:40	Mazi	Note Added: 79822
2024-03-21 15:40	Mazi	Bug heat	256 => 258
2024-03-21 15:40	Mazi	Note Edited: 79822

View Issue Details

Users monitoring this issue

Activities

Issue History

Mazi 2024-03-21 15:40 updater ~79822 Last edited: 2024-03-21 15:40	@DenisChenu, are you aware of a special setting for password strength at "Forgot PW" function?