View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 260
IDProjectCategoryView StatusDate SubmittedLast Update
13546Feature requestsSecuritypublic2018-03-27 21:002021-10-28 09:57
ReporterOli4 Assigned Togalads  
PrioritynoneSeverity@60@ 
Status closedResolutionfixed 
Summary13546: After entering 5 times wrong password from any user, all users are blocked for 10 minutes (even admin)
Description

After entering 5 times wrong password from any user (Survey admin), all users are blocked for 10 minutes (even admin). It's a security issue because almost everybody can block out everybody.

Steps To Reproduce

try it

TagsNo tags attached.
Bug heat260
Story point estimate
Users affected %

Users monitoring this issue

Oli4

Activities

Oli4

Oli4

2018-03-27 21:18

reporter   ~47241

It continues the time with every attempt
DenisChenu

DenisChenu

2018-03-28 08:11

developer   ~47242

With same IP adress, right ?

«maxLoginAttempt: This is the number of attempts a user has to enter the correct password before he or she gets her or his IP address blocked/locked out.»

https://manual.limesurvey.org/Optional_settings#Security
Oli4

Oli4

2018-03-28 09:00

reporter   ~47243

Yes, the Server is behind a proxy (as many Servers I guess). The problem is that ALL users are blocked out an not only the specific user that entered the password 5 times wrong.
c_schmitz

c_schmitz

2018-03-28 12:23

administrator   ~47259

This is probably more like a feature request. Just raise the number of login attempts.
Long term probably a whilelist would be needed.
DenisChenu

DenisChenu

2018-03-28 12:25

developer   ~47260

Whitelist can be easily done via Plugin (have one)
Oli4

Oli4

2018-03-29 19:38

reporter   ~47289

Why is it not possible or so difficult to block the ONLY the specific user who entered the wrong password several times and not the IP. Many/most servers are behind a reverse proxy and always see the same IP-address. In this state of arts, the whole system is blocked for all survey administrators.
Example: If I enter my Hotmail-Password wrong 10 times, the whole Hotmail-system would not be blocked for everybody, but only the account that I wanted to access with wrong password attempts will be blocked (same as GMX, ...).
For my opinion it is a security issue because everybody wo knows a survey admin's login can block the system for all admins.
Maybe we misunderstood.
galads

galads

2021-10-28 09:51

reporter   ~66988

It is now possible to whitelist IP addresses from the global settings and even in the config file. I am therefore closing this issue.

Issue History

Date Modified Username Field Change
2018-03-27 21:00 Oli4 New Issue
2018-03-27 21:18 Oli4 Note Added: 47241
2018-03-27 21:18 Oli4 Issue Monitored: Oli4
2018-03-28 08:11 DenisChenu Note Added: 47242
2018-03-28 09:00 Oli4 Note Added: 47243
2018-03-28 12:23 c_schmitz Note Added: 47259
2018-03-28 12:24 c_schmitz Project Bug reports => Feature requests
2018-03-28 12:25 DenisChenu Note Added: 47260
2018-03-29 19:38 Oli4 Note Added: 47289
2021-10-28 09:51 galads Note Added: 66988
2021-10-28 09:51 galads Bug heat 258 => 260
2021-10-28 09:57 galads Assigned To => galads
2021-10-28 09:57 galads Status new => closed
2021-10-28 09:57 galads Resolution open => fixed