View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
10987Feature requestsPluginspublic2016-04-19 19:372019-06-12 18:30
Reporterakeyser Assigned ToDenisChenu  
PrioritynoneSeverityfeature 
Status assignedResolutionopen 
Summary10987: Plugin settings of type "password" are stored in plain text
Description

We are designing a plugin that has a setting of type 'password'. This (undocumented) setting type presents an input field with type="password", effectively masking the password to the user that types it in; this is expected, usual behaviour.

However, the input is stored directly in the database, in plain text, without any type of encoding. This may present a security risk.

Additional Information

Food for thought:

Where does the responsibility of encoding and decoding password settings lie? With the plugin developer, or with the LimeSurvey application that provides this setting type to begin with?

TagsNo tags attached.
Bug heat6
Story point estimate
Users affected %

Relationships

Relationship GraphDependency Graph
related to 12603 closeddominikvitt Bug reports Setting emailsmtppassword is saved as clear text 

Users monitoring this issue

Mazi

Activities

DenisChenu

DenisChenu

2016-04-20 11:39

developer   ~37585

Remark 1 : LS core already save SMTP password in clear text in DB
Remark 2 : Plugin passwoird is shown in HTML flow : this is the bug , not save in DB

Remark 3 : plugin are allowed to extend getPluginSettings and saveSettings
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/libraries/PluginManager/PluginBase.php#L98
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/libraries/PluginManager/PluginBase.php#L190
Then YOUR plugin can crypt the password the way the plugin want, and not core want.

Think it's more a feature request.
sammousa

sammousa

2016-04-20 11:43

reporter   ~37586

Note: There is no truly secure way for storing the password.

However we can apply encryption to protect from a DB only breach.

  1. We have an encryption password (something that is unique for each installation and not stored in the database.
  2. We encrypt the password using that encryption key, before storing it.
  3. We decrypt the password upon fetching it.

Notes:

  • The plugin developer can choose whether or not to serve the saved (decrypted) password as a default / current value, that is not up to us.
  • In case both the filesystem and database are breached this offers no protection.
  • We can't use hashing here since the password needs to be available in cleartext for use by the plugin.
DenisChenu

DenisChenu

2016-04-20 14:17

developer   ~37605

Move to feature , and question is

  • Did LS must crypt the password of plugin by default or not.
DenisChenu

DenisChenu

2019-06-12 18:30

developer   ~52382

I think i add a options encryt=>true/false :)
And then add the default behaviour for saving :)

Issue History

Date Modified Username Field Change
2016-04-19 19:37 akeyser New Issue
2016-04-20 11:32 ollehar Assigned To => DenisChenu
2016-04-20 11:32 ollehar Status new => assigned
2016-04-20 11:39 DenisChenu Note Added: 37585
2016-04-20 11:43 sammousa Note Added: 37586
2016-04-20 14:15 DenisChenu Assigned To DenisChenu =>
2016-04-20 14:16 DenisChenu Project Bug reports => Feature requests
2016-04-20 14:16 DenisChenu Status assigned => new
2016-04-20 14:16 DenisChenu Severity @60@ => feature
2016-04-20 14:16 DenisChenu Product Version 2.5 =>
2016-04-20 14:17 DenisChenu Note Added: 37605
2017-08-23 12:47 DenisChenu Relationship added related to 12603
2019-03-12 16:23 Mazi Issue Monitored: Mazi
2019-06-12 18:30 DenisChenu Assigned To => DenisChenu
2019-06-12 18:30 DenisChenu Status new => assigned
2019-06-12 18:30 DenisChenu Note Added: 52382