View Issue Details

This bug affects 1 person(s).
 256
IDProjectCategoryView StatusLast Update
14770Bug reportsSecuritypublic2019-07-11 15:54
Reporterbewi Assigned Tocdorin  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Product Version3.17.x 
Summary14770: autocomplete login data
Description

The username and password field on the LimeSurvey login page allow the user's browser a client-side storage of username and password, whereby the data during future visits to the web application is automatically transferred to the corresponding form field.
This may - under certain circumstances - facilitate attacks to take over third-party user accounts in which the victim's browser can be accessed and the information stored there can then be used to log on to the web application.
Together with a cross-site scripting vulnerability, client-side password storage represents an increased risk, as it is possible to read out the stored login data via JavaScript.
In spite of the fact that modern web browsers save the login data it is recommended to provide the affected input fields and the entire form element with the attribute "autocomplete=off".

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)Version 3.17.1+190408
I will donate to the project if issue is resolvedNo
Browser
Database type & version*
Server OS (if known)
Webserver software & version (if known)
PHP Version*

Users monitoring this issue

DenisChenu

Activities

DenisChenu

DenisChenu

2019-04-12 11:18

developer   ~51451

No, because it's a dumb solution : https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

cdorin

cdorin

2019-04-16 18:43

reporter   ~51493

Hello @bewi and thank you for your suggestion!

I will mark it with "feedback".

If a conclusion about its necessity is needed, then please provide below any other arguments.

I agree with @DenisChenu on this one.

Issue History

Date Modified Username Field Change
2019-04-12 11:07 bewi New Issue
2019-04-12 11:18 DenisChenu Note Added: 51451
2019-04-12 11:19 DenisChenu Issue Monitored: DenisChenu
2019-04-16 18:43 cdorin Status new => feedback
2019-04-16 18:43 cdorin Note Added: 51493
2019-07-11 15:54 cdorin Assigned To => cdorin
2019-07-11 15:54 cdorin Status feedback => closed
2019-07-11 15:54 cdorin Resolution open => fixed
2021-08-05 18:16 guest Bug heat 254 => 256