Relationship Graph

Relationship Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
16470Development Securitypublic2020-07-24 09:19
ReporterDenisChenu Assigned To 
PrioritynoneSeverityminor 
Status newResolutionopen 
Summary16470: Use real http header instead of redirect for permission denial
Description

There are part of limesurvey where we filter GET value : $sid = (int) $sid but this disallow other tool to do their job

Steps To Reproduce

Remind : the link access are hidden to simple user : button must be disable or hidden.

If user try to access it : it's clearly an error : maybe try to find some information or have been abused.

Additional Information

403 : someone with a valid account try to access something it don't have the right : Sample for survey (since year)
400 : someone try to send bad parameters : can be XSS or SQL injection

For example : you can use fail2ban or check the log to see the attack tentative. With direct filtering : no way to work on log.

TagsNo tags attached.

Relationships

related to 14650 new Feature requests Really throw error when user try to hack server 
related to 16469 closedDenisChenu Bug reports Any admin user can see any question (without read right on survey) 

Activities

DenisChenu

DenisChenu

2020-07-08 15:11

developer   ~58783

Idea : use Type hint in all controller function (i do a quick check in some minute)

DenisChenu

DenisChenu

2020-07-08 15:25

developer   ~58788

OK some are OK
/admin/questiongroups/sa/view/surveyid/352826/gid/aaa320 : 403

DenisChenu

DenisChenu

2020-07-08 15:27

developer   ~58789

Same with sid (except public) but maybe 400 (invalid request) is better ?

DenisChenu

DenisChenu

2020-07-08 15:31

developer   ~58790

Type cast (on QuestionEditorController->actionView)

DenisChenu

DenisChenu

2020-07-09 14:46

developer   ~58848

Currently it's redirdect,

But must remind : the error only happen for user who try bad access.
Then allow the server to know something bad happen it's a security improvment

DenisChenu

DenisChenu

2020-07-09 14:56

developer   ~58850

There still the issue about the 401 (not connected) but here it's more hard because redirect is interesting.

DenisChenu

DenisChenu

2020-07-09 14:58

developer   ~58851

Currently : we send a 302 : found but moved to another place (Moved Temporarily)

It's really false

DenisChenu

DenisChenu

2020-07-09 15:06

developer   ~58854

https://github.com/LimeSurvey/LimeSurvey/pull/1479

DenisChenu

DenisChenu

2020-07-24 09:17

developer   ~59068

Else, we need at minima to log error …
https://github.com/LimeSurvey/LimeSurvey/pull/1248#issuecomment-482805331

Issue History

Date Modified Username Field Change
2020-07-08 15:10 DenisChenu New Issue
2020-07-08 15:11 DenisChenu Note Added: 58783
2020-07-08 15:25 DenisChenu Note Added: 58788
2020-07-08 15:25 DenisChenu File Added: Capture d’écran du 2020-07-08 15-22-43.png
2020-07-08 15:27 DenisChenu Note Added: 58789
2020-07-08 15:31 DenisChenu Note Added: 58790
2020-07-08 15:31 DenisChenu File Added: Capture d’écran du 2020-07-08 15-31-18.png
2020-07-09 12:11 DenisChenu Relationship added related to 16469
2020-07-09 14:46 DenisChenu Note Added: 58848
2020-07-09 14:47 ollehar Summary Must send error not filter POST/GET value => Use 403 instead of redirect for permission denial
2020-07-09 14:55 DenisChenu Summary Use 403 instead of redirect for permission denial => Use clean http header instead of redirect for permission denial
2020-07-09 14:55 DenisChenu Additional Information Updated View Revisions
2020-07-09 14:56 DenisChenu Note Added: 58850
2020-07-09 14:57 DenisChenu Summary Use clean http header instead of redirect for permission denial => Use real http header instead of redirect for permission denial
2020-07-09 14:58 DenisChenu Note Added: 58851
2020-07-09 15:02 DenisChenu Steps to Reproduce Updated View Revisions
2020-07-09 15:02 DenisChenu Additional Information Updated View Revisions
2020-07-09 15:06 DenisChenu Note Added: 58854
2020-07-24 09:17 DenisChenu Note Added: 59068
2020-07-24 09:19 DenisChenu Relationship added related to 14650