View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|15190||Bug reports||Security||public||2019-08-26 20:15||2021-02-04 14:41|
|Summary||15190: Assigned administration user password is generated randomly, but not time-limited and user is not required to change it|
|Description||The provisioning of accounts presents an opportunity for an attacker to create a valid account without application of the proper identification and authorization process.|
User receives email with his credentials.
this is an automated email to notify that a user has been created for you on the site 'LimeSurvey'.
You can use now the following credentials to log into the site:
Click here to log in.
If you have any questions regarding this mail please do not hesitate to contact the site administrator at X@X.X. Thank you!
This password is generated randomly, is not time-limited and user is not required to change it. There is optional SMTP encryption (SSL/TLS) but SMTP is not the default setting. Unencrypted emails can be intercepted and user’s password can be obtained this way.
Passwords sent in emails should be valid only for specified amount of time and only usable once (user should be forced to change his password after first login).
Enforce limited validity of the generated passwords and force users to change their initial password after first login.
|Steps To Reproduce||Create a new administration user|
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||3.17.13|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||MySQL|
|Server OS (if known)|
|Webserver software & version (if known)|
|has duplicate||09599||closed||c_schmitz||Feature requests||Use one time URL instead of sending password in "forgotten password" functionality|
|has duplicate||14049||closed||c_schmitz||Feature requests||Don't send plain text passwords through mail|
|related to||14408||closed||c_schmitz||Feature requests||DSVGO - sending passwort in plain-text with an e-mail is no longer allowed|
|related to||12427||closed||c_schmitz||Feature requests||Passwords allow for preceeding and trailing spaces|
I think there are a feature request for move from
«Password generated and send by emai (clearly)» to «Create a login and set a password»
The real issue is this: sending a password by email …
|It is not a real issue if it is a temporary one and must be changed by the user on first login.|
Then : i think it's best a direct link .
A lot of other system create a "One time login link"
More clear and clean in my opinion :)
|Sure, but between link and temp password is not really a difference, just the link is a bit more convenient.|
Maybe usage of «one time password» by default ?
1. Allow empty password in User::model
2. User with an empty password don't have access
3. Send a one time password when register
4. After one time password : send an alert about password +, redirect to user management.
Then : no DB update needed for 3.X.
Did this need to be allowed to disable by config (come back to previous system if user need) ?
I am not sure why https://bugs.limesurvey.org/view.php?id=12427 was closed but linked to this one, but if we are workin on password, we should definitely either disallow blanks within passwords or show a warning
a) when setting passwords
b) when entering/copying a password.
Copying passwords with blanks is a common support case because you sometimes don't notice that.
> we should definitely either disallow blanks within passwords or show a warning
**NO** we should allow empty password for webserver authentticate, LDAP, etc ....
Password is used **only** for AuthDB, then must be mandatory only when create an AuthDB user : form for user creation must come from Auth plugin ....
|@DenisChenu, I do not mind having empty passwords but that is different to detecting any blanks within a PW. The later is a desired feature since it will make things easier for the user who often misses a blank within the PW.|
You mean disallow whitespace inside password ?
Current 3.X : password is required
|Yes, one the one hand disallowed white spaces when creating password, on the other hand we should show a note if a PW at login screen was entered with a whitespace.|
|2019-08-26 20:15||c_schmitz||New Issue|
|2019-08-26 20:16||c_schmitz||Priority||none => high|
|2019-08-26 20:16||c_schmitz||Severity||minor => partial_block|
|2019-08-27 10:45||DenisChenu||Note Added: 53280|
|2019-08-27 10:45||DenisChenu||Relationship added||related to 14408|
|2019-08-27 10:45||DenisChenu||Relationship added||related to 09599|
|2019-08-27 10:46||DenisChenu||Relationship added||related to 14049|
|2019-08-27 10:48||c_schmitz||Relationship replaced||has duplicate 14408|
|2019-08-27 10:49||c_schmitz||Relationship deleted||has duplicate 14408|
|2019-08-27 11:03||c_schmitz||Relationship added||related to 14408|
|2019-08-27 11:04||c_schmitz||Summary||Assigned user password is generated randomly, but not time-limited and user is not required to change it => Assigned administration user password is generated randomly, but not time-limited and user is not required to change it|
|2019-08-27 11:05||c_schmitz||Note Added: 53282|
|2019-08-27 11:05||c_schmitz||Relationship replaced||has duplicate 09599|
|2019-08-27 11:10||DenisChenu||Note Added: 53284|
|2019-08-27 11:16||c_schmitz||Note Added: 53285|
|2019-08-27 11:17||c_schmitz||Relationship replaced||has duplicate 14049|
|2019-08-27 11:18||c_schmitz||Relationship added||related to 12427|
|2019-08-27 11:20||c_schmitz||View Status||private => public|
|2019-08-27 11:21||c_schmitz||Priority||high => normal|
|2019-09-18 16:36||DenisChenu||Note Added: 53639|
|2019-11-14 21:53||cdorin||Assigned To||=> cdorin|
|2019-11-14 21:53||cdorin||Status||new => assigned|
|2019-11-25 15:57||Mazi||Note Added: 54775|
|2019-11-25 21:39||DenisChenu||Note Added: 54779|
|2019-11-26 09:27||Mazi||Note Added: 54781|
|2019-11-26 18:31||DenisChenu||Note Added: 54810|
|2019-11-27 17:57||Mazi||Note Added: 54838|
|2021-02-04 10:15||cdorin||Status||assigned => new|
|2021-02-04 14:41||cdorin||Assigned To||cdorin =>|
|2021-02-04 14:41||cdorin||Status||new => confirmed|