Dependency Graph

View IssueRelationship GraphVerticalShow Summary
Dependency Graph
related to related to child of child of duplicate of duplicate of

View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 254
IDProjectCategoryView StatusDate SubmittedLast Update
16666Bug reportsSecuritypublic2020-09-14 09:492021-07-12 14:08
Reporterphitho Assigned Toc_schmitz  
PrioritynoneSeverityminor 
Status closedResolutionduplicate 
Product Version3.23.3 
Fixed in Version5.x 
Summary16666: Registration (continue later): Bounced E-Mail with visible password
Description

One of my participants wanted to continue later and signed up with his e-mail address. There was a 554 error and the e-mail bounced to the administrator - with visible log-in credientials (e-mail and password).
The visible password should never be sent to the participants to prevent this.

Tagssecurity
Bug heat254
Complete LimeSurvey version number (& build)Version 3.23.3+200909
I will donate to the project if issue is resolvedNo
Browser
Database type & versionI'm not the admin
Server OS (if known)
Webserver software & version (if known)
PHP VersionI'm not the admin

Relationships

Relationship GraphDependency Graph
duplicate of 11848 closedc_schmitz Feature requests Saved Surveys - E-Mail Notification Password in Plain Text 

Activities

uibklime1

uibklime1

2020-11-05 14:07

reporter   ~60560

Seconding. In fact, the BIG problem here is that the user is prompted for a password at all -- the user may be fooled into using a browser-prompted password for the user's logons on the same domain, which is completely INSECURE. So EITHER, the user should be sent a randomly generated password (or better yet, link) OR the password is not ever sent out plain text, but salted and hashed before POSTing. Alternatively, you can try to creatively figure out how to reverse-engineer Chrome's usability engineers with javascript+HTML to disable auto-fill of the password fields: https://stackoverflow.com/questions/15738259/disabling-chrome-autofill

Issue History

Date Modified Username Field Change
2020-09-14 09:49 phitho New Issue
2020-11-05 13:49 uibklime1 Issue Monitored: uibklime1
2020-11-05 14:07 uibklime1 Note Added: 60560
2020-11-05 14:09 uibklime1 Tag Attached: security
2021-01-13 08:56 DenisChenu Category Encryption => Security
2021-01-13 08:59 DenisChenu Relationship added duplicate of 11848
2021-07-12 14:08 c_schmitz Assigned To => c_schmitz
2021-07-12 14:08 c_schmitz Status new => closed
2021-07-12 14:08 c_schmitz Resolution open => duplicate
2021-07-12 14:08 c_schmitz Fixed in Version => 5.x