View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
10509Bug reportsSurvey takingpublic2016-02-17 17:192018-09-28 14:12
Reporterc_schmitz Assigned Toc_schmitz  
PriorityimmediateSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.06+ 
Fixed in Version2.06+ 
Summary10509: Security issue when saving/loading responses on public survey
Description

The following situtation has happened with a customer.

Customer receives an email with two surveys links (no /newtest parameters)

Both surveys use no tokens and have the following settings:
Responses to this survey are NOT anonymized.
It is presented group by group.
Participants can save partially finished surveys

I assume that the following has happened:

Customer takes first survey then saves his responses using 'resume later'. It is unkown if he then finishes the first survey or not.

Now he opens the second survey, and he sees responses from a different customer in the second survey preloaded.

I assume that the second survey uses the srid from the first survey to 'reload' the wrong response data

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)1234567
I will donate to the project if issue is resolvedNo
Browser.
Database type & version.
Server OS (if known).
Webserver software & version (if known).
PHP Version.

Users monitoring this issue

There are no users monitoring this issue.

Activities

ollehar

ollehar

2016-02-17 17:47

administrator   ~35326

  • Customer 1 saves in survey 1 and 2 and leaves
  • Customer 2 does the same (another browser)
  • Customer 1 comes back and opens ____?

Or is saving interleaved? Check db.
ollehar

ollehar

2016-02-18 15:21

administrator   ~35406

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=17502
ollehar

ollehar

2016-02-18 15:25

administrator   ~35407

Problem was that SavedControl would be loaded with only identification and password, but not survey id, thus potentially writing the wrong srid to the session (if he/she had more than one survey saved, any srid could be loaded). The user would then write data to the wrong row.
ollehar

ollehar

2016-02-18 15:26

administrator   ~35408

Fixed in 2.5, not 2.06 yet.
DenisChenu

DenisChenu

2016-02-19 12:42

developer   ~35448

"SavedControl would be loaded with only identification and password, but not survey id, " 8-O
c_schmitz

c_schmitz

2016-02-23 17:38

administrator   ~35610

Fix committed to 2.06lts branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=17586
DenisChenu

DenisChenu

2018-09-28 14:12

developer   ~49170

Fix committed to 2.06lts branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28047

Related Changesets

LimeSurvey: master b30d8738

2016-02-18 15:20

ollehar


Details Diff		 Fixed issue 10509: Security issue when saving/loading responses on public survey Affected Issues
10509
mod - application/helpers/frontend_helper.php Diff File

LimeSurvey: 2.06lts 94d77173

2016-02-23 17:37

c_schmitz


Details Diff		 Fixed issue 10509: [Security] issue when saving/loading responses on public survey Affected Issues
10509
mod - application/helpers/frontend_helper.php Diff File

LimeSurvey: 2.06lts a6462bb2

2016-02-23 18:37

c_schmitz

Committer: DenisChenu


Details Diff		 Fixed issue 10509: [Security] issue when saving/loading responses on public survey Affected Issues
10509
mod - application/helpers/frontend_helper.php Diff File

Issue History

Date Modified Username Field Change
2016-02-17 17:19 c_schmitz New Issue
2016-02-17 17:19 c_schmitz Status new => assigned
2016-02-17 17:19 c_schmitz Assigned To => ollehar
2016-02-17 17:19 c_schmitz Priority normal => immediate
2016-02-17 17:19 c_schmitz Severity minor => partial_block
2016-02-17 17:47 ollehar Note Added: 35326
2016-02-18 15:21 ollehar Changeset attached => LimeSurvey master b30d8738
2016-02-18 15:21 ollehar Note Added: 35406
2016-02-18 15:21 ollehar Resolution open => fixed
2016-02-18 15:25 ollehar Note Added: 35407
2016-02-18 15:26 ollehar Note Added: 35408
2016-02-18 15:46 ollehar Assigned To ollehar => c_schmitz
2016-02-19 12:42 DenisChenu Note Added: 35448
2016-02-23 17:38 c_schmitz Changeset attached => LimeSurvey 2.06lts 94d77173
2016-02-23 17:38 c_schmitz Note Added: 35610
2016-02-23 17:38 c_schmitz Status assigned => closed
2016-02-23 17:38 c_schmitz Fixed in Version => 2.06+
2018-09-28 14:12 DenisChenu Changeset attached => LimeSurvey 2.06lts a6462bb2
2018-09-28 14:12 DenisChenu Note Added: 49170