View Issue Details

IDProjectCategoryView StatusLast Update
14770Bug reports[All Projects] Securitypublic2019-04-16 18:43
ReporterbewiAssigned To 
PrioritynoneSeverityminor 
Status feedbackResolutionopen 
Product Version3.17.x 
Target VersionFixed in Version 
Summary14770: autocomplete login data
Description

The username and password field on the LimeSurvey login page allow the user's browser a client-side storage of username and password, whereby the data during future visits to the web application is automatically transferred to the corresponding form field.
This may - under certain circumstances - facilitate attacks to take over third-party user accounts in which the victim's browser can be accessed and the information stored there can then be used to log on to the web application.
Together with a cross-site scripting vulnerability, client-side password storage represents an increased risk, as it is possible to read out the stored login data via JavaScript.
In spite of the fact that modern web browsers save the login data it is recommended to provide the affected input fields and the entire form element with the attribute "autocomplete=off".

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Activities

DenisChenu

DenisChenu

2019-04-12 11:18

developer   ~51451

No, because it's a dumb solution : https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

cdorin

cdorin

2019-04-16 18:43

manager   ~51493

Hello @bewi and thank you for your suggestion!

I will mark it with "feedback".

If a conclusion about its necessity is needed, then please provide below any other arguments.

I agree with @DenisChenu on this one.

Issue History

Date Modified Username Field Change
2019-04-12 11:07 bewi New Issue
2019-04-12 11:18 DenisChenu Note Added: 51451
2019-04-16 18:43 cdorin Status new => feedback
2019-04-16 18:43 cdorin Note Added: 51493