View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
04971Bug reportsSecuritypublic2011-03-10 12:28
ReporterCatze Assigned Tolemeur  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version1.90+ 
Fixed in Version1.91RC5 
Summary04971: passwords
Description

An IT-technician/admin pointed to me that the passwords of an account in plain text and clearly with password and user name are sent to the user. Is it possible to fix it?

Crawlers scan all mails just for these terms. Especially for companies a high security risk - that's irresponsible.

what can i do?

TagsNo tags attached.
Attached Files
first_part.patch (808 bytes)   
Index: admin/usercontrol.php
===================================================================
--- admin/usercontrol.php	(revision 9809)
+++ admin/usercontrol.php	(working copy)
@@ -647,7 +647,7 @@
                 $addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n";
             } elseif($uresult && !empty($sPassword))
             {
-                $addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": {$sPassword}<br /><br />\n";
+                $addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": ".preg_replace('/./','*',$sPassword)."<br /><br />\n";
                 $addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n";
             }
             else
first_part.patch (808 bytes)   
Bug heat258
Complete LimeSurvey version number (& build)1.9
I will donate to the project if issue is resolvedNo
Browser
Database type & version-
Server OS (if known)-
Webserver software & version (if known)-
PHP Version-

Users monitoring this issue

limech

Activities

limech

limech

2011-02-21 16:21

reporter   ~14260

For what it's worth, I'd like to agree that the password management suggested by the reporter is to be considered a bug. Firstly, a password should never ever be reproduced on-screen in clear text; this part I think could be fixed rather easily with a one-line patch of admin/usercontrol.php (line 650).

Secondly, I think it is wrong also to write cleartext passwords in emails to a user. This is, however, of course more difficult to fix, as it involves a number of sent emails/situations, and has to be exchanged for quite a different handling, for example one-time login tickets for a newly created user.

But fixing only the first part now would be a great improvement, while postponing the second part until later.

limech

limech

2011-02-21 16:55

reporter   ~14261

Kind of ugly but simple fix attached.

lemeur

lemeur

2011-02-22 22:22

developer   ~14264

sorry, I closed this one by error

lemeur

lemeur

2011-02-22 23:15

developer   ~14266

Fixed in rev 9810/9811.

Fixed issue 04971: user passwords for the LS GUI are displayed in clear text both in the GUI (when changing a password) and in emails (when adding a user or asking for a forgot-password reminder). Now it is possible to disable this with 2 new parameters: display_user_password_in_html (false by default) and display_user_password_in_email (true by default).

c_schmitz

c_schmitz

2011-03-10 12:28

administrator   ~14388

1.91RC5 released.

Issue History

Date Modified Username Field Change
2011-02-21 15:12 Catze New Issue
2011-02-21 16:21 limech Note Added: 14260
2011-02-21 16:54 limech File Added: first_part.patch
2011-02-21 16:55 limech Note Added: 14261
2011-02-21 16:56 limech Issue Monitored: limech
2011-02-22 22:21 lemeur Status new => closed
2011-02-22 22:21 lemeur Assigned To => lemeur
2011-02-22 22:21 lemeur Resolution open => no change required
2011-02-22 22:22 lemeur Note Added: 14264
2011-02-22 22:22 lemeur Status closed => feedback
2011-02-22 22:22 lemeur Resolution no change required => reopened
2011-02-22 23:15 lemeur Note Added: 14266
2011-02-22 23:15 lemeur Status feedback => resolved
2011-02-22 23:15 lemeur Fixed in Version => 1.91RC5
2011-02-22 23:15 lemeur Resolution reopened => fixed
2011-03-10 12:28 c_schmitz Note Added: 14388
2011-03-10 12:28 c_schmitz Status resolved => closed
2021-08-07 13:15 guest Bug heat 256 => 258