View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
04971 | Bug reports | Security | public | 2011-02-21 15:12 | 2011-03-10 12:28 |
Reporter | Catze | Assigned To | lemeur | ||
Priority | normal | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Product Version | 1.90+ | ||||
Fixed in Version | 1.91RC5 | ||||
Summary | 04971: passwords | ||||
Description | An IT-technician/admin pointed to me that the passwords of an account in plain text and clearly with password and user name are sent to the user. Is it possible to fix it? Crawlers scan all mails just for these terms. Especially for companies a high security risk - that's irresponsible. what can i do? | ||||
Tags | No tags attached. | ||||
Attached Files | first_part.patch (808 bytes)
Index: admin/usercontrol.php =================================================================== --- admin/usercontrol.php (revision 9809) +++ admin/usercontrol.php (working copy) @@ -647,7 +647,7 @@ $addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n"; } elseif($uresult && !empty($sPassword)) { - $addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": {$sPassword}<br /><br />\n"; + $addsummary .= "<br />".$clang->gT("Username").": $users_name<br />".$clang->gT("Password").": ".preg_replace('/./','*',$sPassword)."<br /><br />\n"; $addsummary .= "<div class=\"successheader\">".$clang->gT("Success!")."</div>\n"; } else | ||||
Bug heat | 258 | ||||
Complete LimeSurvey version number (& build) | 1.9 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | |||||
Database type & version | - | ||||
Server OS (if known) | - | ||||
Webserver software & version (if known) | - | ||||
PHP Version | - | ||||
For what it's worth, I'd like to agree that the password management suggested by the reporter is to be considered a bug. Firstly, a password should never ever be reproduced on-screen in clear text; this part I think could be fixed rather easily with a one-line patch of admin/usercontrol.php (line 650). Secondly, I think it is wrong also to write cleartext passwords in emails to a user. This is, however, of course more difficult to fix, as it involves a number of sent emails/situations, and has to be exchanged for quite a different handling, for example one-time login tickets for a newly created user. But fixing only the first part now would be a great improvement, while postponing the second part until later. |
|
Kind of ugly but simple fix attached. |
|
sorry, I closed this one by error |
|
Fixed in rev 9810/9811. Fixed issue 04971: user passwords for the LS GUI are displayed in clear text both in the GUI (when changing a password) and in emails (when adding a user or asking for a forgot-password reminder). Now it is possible to disable this with 2 new parameters: display_user_password_in_html (false by default) and display_user_password_in_email (true by default). |
|
1.91RC5 released. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2011-02-21 15:12 | Catze | New Issue | |
2011-02-21 16:21 | limech | Note Added: 14260 | |
2011-02-21 16:54 | limech | File Added: first_part.patch | |
2011-02-21 16:55 | limech | Note Added: 14261 | |
2011-02-21 16:56 | limech | Issue Monitored: limech | |
2011-02-22 22:21 | lemeur | Status | new => closed |
2011-02-22 22:21 | lemeur | Assigned To | => lemeur |
2011-02-22 22:21 | lemeur | Resolution | open => no change required |
2011-02-22 22:22 | lemeur | Note Added: 14264 | |
2011-02-22 22:22 | lemeur | Status | closed => feedback |
2011-02-22 22:22 | lemeur | Resolution | no change required => reopened |
2011-02-22 23:15 | lemeur | Note Added: 14266 | |
2011-02-22 23:15 | lemeur | Status | feedback => resolved |
2011-02-22 23:15 | lemeur | Fixed in Version | => 1.91RC5 |
2011-02-22 23:15 | lemeur | Resolution | reopened => fixed |
2011-03-10 12:28 | c_schmitz | Note Added: 14388 | |
2011-03-10 12:28 | c_schmitz | Status | resolved => closed |
2021-08-07 13:15 | guest | Bug heat | 256 => 258 |