View Issue Details

IDProjectCategoryView StatusLast Update
14710Feature requests[All Projects] Securitypublic2019-04-05 15:29
Reporterbulgin Assigned To 
PrioritynoneSeverityfeature 
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary14710: Request to log unauthorized token entries
Description

It is common for bots and people to attempt to hack limesurvey via tokens. If administrators test the "crackability" of the lime survey generated tokens less than 6 characters on any number of online sites that test passwords, you will see that these tokens are easily cracked in under 60 seconds. A solution is easy: log failed attempts to any number of logs files and then we can use systems like csf and other log-monitoring software to block the ips after X attempts. For example, the limesurvey generated password: 0hMRb7 can be cracked in 3 hours by a home computer according to kapsersky online password tester and reportedly in 1 second by howsecureismypassword.net.

Additional Information

Limesurvey does offer the option to create long passwords that are more difficult to crack, however, in many use cases administrators need to send password tokens to users not as a link, but as the actual password (for example in a survey in which the participants are invited via regular postal mail, etc.). One use case is a survey being administered to people with disabilities or seniors. The fact that some populations have limited access to technology should not deter them from taking surveys, in my view, yet surveys for disadvantaged people with disables are useful for improving their lives, although this is just one use case. It would be very beneficial to therefore have the token as something that can be easily copied and input without too much difficulty. If a brute force attack is being used, then by creating a log of such activity we, as administrators, can simply block the ip or send them elsewhere. Thank you.

TagsNo tags attached.

Activities

bulgin

bulgin

2019-04-01 14:39

reporter   ~51243

Suggestion:

401 requires the originating server to send a WWW-Authenticate header field which I don't think happens in this case and 403 has similar requirements. From RFC 2616 I think a 400 would be the best:

400 Bad Request

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

DenisChenu

DenisChenu

2019-04-01 15:27

developer   ~51247

Yep, right, not exactly a 401 (even a 400 in fact).

Currently seems you can use https://github.com/LimeSurvey/LimeSurvey/blob/f62a73c8ff91a4d501517fc6cd4532cab1da6231/application/controllers/survey/index.php#L478 onSurveyDenied event : and then log it or send a 400 ?

bulgin

bulgin

2019-04-01 17:31

reporter   ~51251

Looks promising! So what's the next step to log this information? Even if tweaked locally before any kind of update. I'm not such a great code maven.

ritapas

ritapas

2019-04-03 09:30

reporter   ~51291

+1

Mazi

Mazi

2019-04-05 08:49

partner   ~51356

While I think that this is a nice idea I wonder a little about the benefit. If you successfully find a valid token, what can you do with it? And maybe even more important: Why should you do that at all? What's your benefit?

DenisChenu

DenisChenu

2019-04-05 08:54

developer   ~51360

Valid token : user information : can be a great great great benefit. You don't known what our user do with LimeSurvey …
There are medical system, account system etc …

Mazi

Mazi

2019-04-05 09:28

partner   ~51369

I agree, if the survey is not anonymous and user details are embedded at the survey, that is indeed a risk.

bulgin

bulgin

2019-04-05 14:37

reporter   ~51386

I'm trying to understand the responses. The only benefit is to block malicious behavior against token entries, and thereby prevent a malicious user from gaining access to a survey. From my position it seems this can be easily done by logging failed token access attempts to a custom log file, and then blocking that IP address with programs like csf (ConfigServer) and others.

bulgin

bulgin

2019-04-05 14:39

reporter   ~51387

FYI: programs like ConfigServer and Fail2Ban simply monitor repeated failed attempts in log files and then block them by IP after X attempts.

DenisChenu

DenisChenu

2019-04-05 14:54

developer   ~51388

@bulgin : yes , but fail2ban can track 400 error directly too
Yes : can actually done with onSurveyDenied event , it's what i put in https://bugs.limesurvey.org/view.php?id=14710#c51247

bulgin

bulgin

2019-04-05 15:07

reporter   ~51389

@DenisChenu Yes, I saw your reference. Just don't understand how I can integrate that for desired result or were you just identifying an area of the code were this information is already captured? So my question is: now what?

DenisChenu

DenisChenu

2019-04-05 15:29

developer   ~51390

See a sample plugin : https://github.com/LimeSurvey/LimeSurvey/blob/master/plugins/Demo/ShowResponse/ShowResponse.php

Add this (not tested) in the function

\Yii::log("Bad token entered", error, 'plugin.logToken.Error');

Use Yii to log it where you want exactly : https://manual.limesurvey.org/Optional_settings#Logging_settings

Issue History

Date Modified Username Field Change
2019-04-01 14:35 bulgin New Issue
2019-04-01 14:39 bulgin Note Added: 51243
2019-04-01 15:27 DenisChenu Note Added: 51247
2019-04-01 17:31 bulgin Note Added: 51251
2019-04-03 09:30 ritapas Note Added: 51291
2019-04-05 08:49 Mazi Note Added: 51356
2019-04-05 08:54 DenisChenu Note Added: 51360
2019-04-05 09:28 Mazi Note Added: 51369
2019-04-05 14:37 bulgin Note Added: 51386
2019-04-05 14:39 bulgin Note Added: 51387
2019-04-05 14:54 DenisChenu Note Added: 51388
2019-04-05 15:07 bulgin Note Added: 51389
2019-04-05 15:29 DenisChenu Note Added: 51390