14770: autocomplete login data - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

14770	Bug reports	Security	public	2019-04-12 11:07	2019-07-11 15:54

Reporter	bewi	Assigned To	cdorin
Priority	none	Severity	minor
Status	closed	Resolution	fixed
Product Version	3.17.x

Summary	14770: autocomplete login data
Description	The username and password field on the LimeSurvey login page allow the user's browser a client-side storage of username and password, whereby the data during future visits to the web application is automatically transferred to the corresponding form field. This may - under certain circumstances - facilitate attacks to take over third-party user accounts in which the victim's browser can be accessed and the information stored there can then be used to log on to the web application. Together with a cross-site scripting vulnerability, client-side password storage represents an increased risk, as it is possible to read out the stored login data via JavaScript. In spite of the fact that modern web browsers save the login data it is recommended to provide the affected input fields and the entire form element with the attribute "autocomplete=off".
Tags	No tags attached.

Bug heat	256
Complete LimeSurvey version number (& build)	Version 3.17.1+190408
I will donate to the project if issue is resolved	No
Browser
Database type & version	*
Server OS (if known)
Webserver software & version (if known)
PHP Version	*

User List	DenisChenu

DenisChenu 2019-04-12 11:18 developer ~51451	No, because it's a dumb solution : https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

cdorin 2019-04-16 18:43 reporter ~51493	Hello @bewi and thank you for your suggestion! I will mark it with "feedback". If a conclusion about its necessity is needed, then please provide below any other arguments. I agree with @DenisChenu on this one.

Date Modified	Username	Field	Change
2019-04-12 11:07	bewi	New Issue
2019-04-12 11:18	DenisChenu	Note Added: 51451
2019-04-12 11:19	DenisChenu	Issue Monitored: DenisChenu
2019-04-16 18:43	cdorin	Status	new => feedback
2019-04-16 18:43	cdorin	Note Added: 51493
2019-07-11 15:54	cdorin	Assigned To	=> cdorin
2019-07-11 15:54	cdorin	Status	feedback => closed
2019-07-11 15:54	cdorin	Resolution	open => fixed
2021-08-05 18:16	guest	Bug heat	254 => 256