View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|17695||Bug reports||Authentication||public||2021-11-04 09:23||2022-05-11 12:40|
|Summary||17695: Exceeding the number of maximum access code validation attempts|
for one survey, if a participant provided a wrong token five times, a message showing "You have exceeded the number of maximum access code validation attempts. Please wait 10 minutes before trying again" appears and accordingly all participants for all active surveys became unable to access the surveys until the 10 minutes waiting time finish. not only the survey participants, but also admin users can't sign in until waiting time get finish.
Similarly, if an admin user provided 3 wrong password attempts, all other users should wait 10 minutes to access. the rule should be applied to that particular user only not to all users. also, when this issue happened, survey participants will see a message saying please wait 10 minutes before trying again. however, if they provide a right token number, they will be able to access.
|Steps To Reproduce|
Steps to reproduce
Activate token-based survey.
Access should be denied on that survey only and for that participant only (through ip address for example)
LS Access denied for all participants of all surveys as well as for admin users until after 10 minutes.
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||5.0.5+210621|
|I will donate to the project if issue is resolved||No|
|Database type & version||MS SQL Server 2016|
|Server OS (if known)||Win Server 2019|
|Webserver software & version (if known)||IIS 10|
See feature https://bugs.limesurvey.org/view.php?id=17322
token : bot access : 1 seconds after 3 try is the best
Do you think it's OK ?
Need the " that survey only" part more.
I totally agree Denis, it should block from the specific IP only.
@medhat : we can not block "THIS" token only .
I'm using 3.x version behind a reverse proxy and behind kubernetes.
HTTP_X_FORWARDED_FOR can be a comma separated list of IPv4 addresses.
Maybe I can post a patch on this. Do you accept github Pull requests?
More, on this, I would say the IP address can be easily faked with crafted http requests from an attacker. I wouldn't pay so much attention on this.
I'm going to file my issues inside 17322
yes complex solution, but even solution based on fail2ban have such issue …
As per the comments, will be closing the ticket.
Please add any comments in case it should be reopened.
@gabrieljenik the the fix is applied for LS version 3, but we are facing the issue on LS version 5. any commendations?
please ignore my last comment. i have version 5.3.8+220404 and I can see the new features under Global settings to control the behavior. will check on that.
|2021-11-04 09:23||sdsAdm1n||New Issue|
|2021-11-04 09:23||sdsAdm1n||File Added: AdminScreen.png|
|2021-11-04 09:23||sdsAdm1n||File Added: TokenScreen.png|
|2021-11-04 10:45||DenisChenu||Relationship added||related to 17322|
|2021-11-04 10:47||DenisChenu||Note Added: 67109|
|2021-11-04 10:47||DenisChenu||Bug heat||0 => 2|
|2021-11-04 10:47||DenisChenu||Note Edited: 67109|
|2021-11-04 10:48||DenisChenu||Note Added: 67110|
|2021-11-08 05:51||medhat||Issue Monitored: medhat|
|2021-11-08 05:51||medhat||Bug heat||2 => 4|
|2021-11-08 05:57||medhat||Note Added: 67152|
|2021-11-08 05:57||medhat||Bug heat||4 => 6|
|2021-11-08 05:57||guest||Bug heat||6 => 12|
|2021-11-08 08:52||DenisChenu||Note Added: 67162|
|2022-01-03 17:05||DenisChenu||Category||Accessibility => Authentication|
|2022-01-03 17:05||DenisChenu||Description Updated|
|2022-01-03 17:05||DenisChenu||Steps to Reproduce Updated|
|2022-02-18 14:52||tassoman||Note Added: 68324|
|2022-02-18 14:52||tassoman||Bug heat||12 => 14|
|2022-02-18 14:55||tassoman||Issue Monitored: tassoman|
|2022-02-18 14:55||tassoman||Bug heat||14 => 16|
|2022-02-18 17:15||DenisChenu||Bug heat||16 => 22|
|2022-02-18 17:21||tassoman||Note Added: 68328|
|2022-02-18 17:29||tassoman||Note Added: 68330|
|2022-02-18 17:31||DenisChenu||Note Added: 68331|
|2022-04-22 14:51||gabrieljenik||Assigned To||=> gabrieljenik|
|2022-04-22 14:51||gabrieljenik||Status||new => closed|
|2022-04-22 14:51||gabrieljenik||Resolution||open => fixed|
|2022-04-22 14:51||gabrieljenik||Note Added: 69193|
|2022-04-22 14:51||gabrieljenik||Bug heat||22 => 24|
|2022-04-22 14:52||gabrieljenik||Resolution||fixed => duplicate|
|2022-05-11 12:31||sdsAdm1n||Note Added: 69575|
|2022-05-11 12:31||sdsAdm1n||Bug heat||24 => 26|
|2022-05-11 12:40||sdsAdm1n||Note Added: 69576|