View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 286
IDProjectCategoryView StatusDate SubmittedLast Update
15190Bug reportsSecuritypublic2019-08-26 20:152021-07-12 11:52
Reporterc_schmitz Assigned Toc_schmitz  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.17.x 
Fixed in Version5.x 
Summary15190: Assigned administration user password is generated randomly, but not time-limited and user is not required to change it
Description

The provisioning of accounts presents an opportunity for an attacker to create a valid account without application of the proper identification and authorization process.
Analysis
User receives email with his credentials.

Hello tmp,

this is an automated email to notify that a user has been created for you on the site 'LimeSurvey'.

You can use now the following credentials to log into the site:
Username: tmp
Password: sSAMucM5YXnT
Click here to log in.

If you have any questions regarding this mail please do not hesitate to contact the site administrator at X@X.X. Thank you!

This password is generated randomly, is not time-limited and user is not required to change it. There is optional SMTP encryption (SSL/TLS) but SMTP is not the default setting. Unencrypted emails can be intercepted and user’s password can be obtained this way.
Passwords sent in emails should be valid only for specified amount of time and only usable once (user should be forced to change his password after first login).

Enforce limited validity of the generated passwords and force users to change their initial password after first login.

Steps To Reproduce

Create a new administration user

TagsNo tags attached.
Bug heat286
Complete LimeSurvey version number (& build)3.17.13
I will donate to the project if issue is resolvedNo
Browser
Database type & versionMySQL
Server OS (if known)
Webserver software & version (if known)
PHP Version7

Relationships

Relationship GraphDependency Graph
has duplicate 09599 closedc_schmitz Feature requests Use one time URL instead of sending password in "forgotten password" functionality 
has duplicate 14049 closedc_schmitz Feature requests Don't send plain text passwords through mail 
related to 14408 closedc_schmitz Feature requests DSVGO - sending passwort in plain-text with an e-mail is no longer allowed 
related to 12427 closedc_schmitz Feature requests Passwords allow for preceeding and trailing spaces 

Users monitoring this issue

DenisChenu, kjnerhus

Activities

DenisChenu

DenisChenu

2019-08-27 10:45

developer   ~53280

I think there are a feature request for move from
«Password generated and send by emai (clearly)» to «Create a login and set a password»

The real issue is this: sending a password by email …

https://bugs.limesurvey.org/view.php?id=14408
https://bugs.limesurvey.org/view.php?id=9599
c_schmitz

c_schmitz

2019-08-27 11:05

administrator   ~53282

It is not a real issue if it is a temporary one and must be changed by the user on first login.
DenisChenu

DenisChenu

2019-08-27 11:10

developer   ~53284

Then : i think it's best a direct link .

A lot of other system create a "One time login link"
More clear and clean in my opinion :)
c_schmitz

c_schmitz

2019-08-27 11:16

administrator   ~53285

Sure, but between link and temp password is not really a difference, just the link is a bit more convenient.
DenisChenu

DenisChenu

2019-09-18 16:36

developer   ~53639

Maybe usage of «one time password» by default ?

My idea:

  1. Allow empty password in User::model
  2. User with an empty password don't have access
  3. Send a one time password when register
  4. After one time password : send an alert about password +, redirect to user management.

Then : no DB update needed for 3.X.

Did this need to be allowed to disable by config (come back to previous system if user need) ?
Mazi

Mazi

2019-11-25 15:57

updater   ~54775

I am not sure why https://bugs.limesurvey.org/view.php?id=12427 was closed but linked to this one, but if we are workin on password, we should definitely either disallow blanks within passwords or show a warning
a) when setting passwords
and
b) when entering/copying a password.

Copying passwords with blanks is a common support case because you sometimes don't notice that.
DenisChenu

DenisChenu

2019-11-25 21:39

developer   ~54779

we should definitely either disallow blanks within passwords or show a warning

NO we should allow empty password for webserver authentticate, LDAP, etc ....

Password is used only for AuthDB, then must be mandatory only when create an AuthDB user : form for user creation must come from Auth plugin ....
Mazi

Mazi

2019-11-26 09:27

updater   ~54781

@DenisChenu, I do not mind having empty passwords but that is different to detecting any blanks within a PW. The later is a desired feature since it will make things easier for the user who often misses a blank within the PW.
DenisChenu

DenisChenu

2019-11-26 18:31

developer   ~54810

You mean disallow whitespace inside password ?
Current 3.X : password is required
Mazi

Mazi

2019-11-27 17:57

updater   ~54838

Yes, one the one hand disallowed white spaces when creating password, on the other hand we should show a note if a PW at login screen was entered with a whitespace.
c_schmitz

c_schmitz

2021-07-12 11:52

administrator   ~65270

This issue is resolved in 5.x.

Issue History

Date Modified Username Field Change
2019-08-26 20:15 c_schmitz New Issue
2019-08-26 20:16 c_schmitz Priority none => high
2019-08-26 20:16 c_schmitz Severity minor => partial_block
2019-08-27 10:45 DenisChenu Note Added: 53280
2019-08-27 10:45 DenisChenu Relationship added related to 14408
2019-08-27 10:45 DenisChenu Relationship added related to 09599
2019-08-27 10:46 DenisChenu Relationship added related to 14049
2019-08-27 10:48 c_schmitz Relationship replaced has duplicate 14408
2019-08-27 10:49 c_schmitz Relationship deleted has duplicate 14408
2019-08-27 11:03 c_schmitz Relationship added related to 14408
2019-08-27 11:04 c_schmitz Summary Assigned user password is generated randomly, but not time-limited and user is not required to change it => Assigned administration user password is generated randomly, but not time-limited and user is not required to change it
2019-08-27 11:05 c_schmitz Note Added: 53282
2019-08-27 11:05 c_schmitz Relationship replaced has duplicate 09599
2019-08-27 11:10 DenisChenu Note Added: 53284
2019-08-27 11:16 c_schmitz Note Added: 53285
2019-08-27 11:17 c_schmitz Relationship replaced has duplicate 14049
2019-08-27 11:18 c_schmitz Relationship added related to 12427
2019-08-27 11:20 c_schmitz View Status private => public
2019-08-27 11:21 c_schmitz Priority high => normal
2019-09-17 08:02 DenisChenu Issue Monitored: DenisChenu
2019-09-18 16:36 DenisChenu Note Added: 53639
2019-11-14 21:53 cdorin Assigned To => cdorin
2019-11-14 21:53 cdorin Status new => assigned
2019-11-25 15:57 Mazi Note Added: 54775
2019-11-25 21:39 DenisChenu Note Added: 54779
2019-11-26 09:27 Mazi Note Added: 54781
2019-11-26 18:31 DenisChenu Note Added: 54810
2019-11-27 17:57 Mazi Note Added: 54838
2020-08-07 19:56 kjnerhus Issue Monitored: kjnerhus
2021-02-04 10:15 cdorin Status assigned => new
2021-02-04 14:41 cdorin Assigned To cdorin =>
2021-02-04 14:41 cdorin Status new => confirmed
2021-07-12 11:52 c_schmitz Assigned To => c_schmitz
2021-07-12 11:52 c_schmitz Status confirmed => closed
2021-07-12 11:52 c_schmitz Resolution open => fixed
2021-07-12 11:52 c_schmitz Fixed in Version => 5.x
2021-07-12 11:52 c_schmitz Note Added: 65270