View Issue Details

IDProjectCategoryView StatusLast Update
15221Bug reports[All Projects] Survey participants (Tokens)public2019-09-06 10:47
Reporterfradeff Assigned ToDenisChenu  
PriorityurgentSeverityblock 
Status closedResolutionfixed 
Product Version3.17.x 
Target VersionFixed in Version3.17.x 
Summary15221: unable to send mail to participants - apache handler error 403
Description

upgraded yesterday many lime instances from 3.17.14 to 3.17.15

since the upgrade, when I try to send the emails invitations to participants, browser remains running

apache and firefox debugger return a 403 forbidden error

url ex. index.php/admin/tokens/sa/email/surveyid/694127?1567584781435

Steps To Reproduce

create invitation, activate, send mails (global or line by line)

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.17.15+190903
I will donate to the project if issue is resolvedNo
BrowserFF 68.0.2 and Chromium 76.0.3809.100
Database & DB-Versionmysqlnd 5.0.12-dev - 20150407
Server OS (if known)Debian GNU/Linux 9.9 (stretch)
Webserver software & version (if known)Apache 2.0 Handler 20120211
PHP VersionPHP Version 7.0.33-0+deb9u3

Relationships

has duplicate 15222 closedDenisChenu Can't send invitations or reminders 
has duplicate 15236 closedDenisChenu Error 403 when trying to send email invitation 

Activities

cdorin

cdorin

2019-09-04 10:54

manager   ~53409

@DenisChenu, where you able to reproduce it? Saw also this one: [15222]

fradeff

fradeff

2019-09-04 11:01

reporter   ~53410

thank you cdorin & Denis
ps: little error in my description, I've upgraded 3.17.13 -> 3.17.15 (so maybe the error was present on 3.17.14 as mentioned in [15222]

DenisChenu

DenisChenu

2019-09-04 11:11

developer   ~53411

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=29089

DenisChenu

DenisChenu

2019-09-04 11:15

developer   ~53414

@cdorin : yes, child of security issue with multiple params …
Still bad to have multiple params, but need only to fill user param : fixed, but the issue with sa VS subaction VS sSubAction still there.

subaction and sSubAction come from code … not from user param here …

fradeff

fradeff

2019-09-04 11:18

reporter   ~53415

@Denis: a really big thanks! in the meanwhile, I've downgraded to 3.17.13 ... seems to work but I'll try your fix

DenisChenu

DenisChenu

2019-09-04 11:29

developer   ~53416

The version before 3.17.14 have a « reflected XSS vulnerabilities» in surveyid param …

DenisChenu

DenisChenu

2019-09-04 11:30

developer   ~53417

@fradeff : if you manually apply the fix : https://github.com/LimeSurvey/LimeSurvey/commit/de7707d700d1304110eca1e12fd22b3aa1d011b7

I found an issue in quota too, but i didn't test ALL action …

Aurore

Aurore

2019-09-04 16:15

reporter   ~53428

Thanks for the correction ! I had the problem this morning, just after the update from 3.17.10 ->3.17.15 and it's a real problem in my company.
Do you know when the error will be available in comfort updates ?

cdorin

cdorin

2019-09-04 16:16

manager   ~53429

Last edited: 2019-09-04 16:17

View 2 revisions

@Aurore, tomorrow morning we will create a new minor release (the latest). We are sorry for the caused inconveniences.

Thank you @DenisChenu for the quick fix!

Aurore

Aurore

2019-09-04 16:21

reporter   ~53430

Thanks for your answer @cdorin and @DenisChenu for fixing this issue !

DenisChenu

DenisChenu

2019-09-04 16:33

developer   ~53432

Warning , if you need to fix quickly the issue,
This https://github.com/LimeSurvey/LimeSurvey/commit/e13cbeb7d06362b4885bbff549ec3cce53707654
must be done too (for quota editing and maybe some other place).

I introduce the issue here : https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006

lime_release_bot

lime_release_bot

2019-09-06 10:47

developer   ~53492

Fixed in Release 3.17.16+190906

Related Changesets

LimeSurvey: master de7707d7

2019-09-04 11:11:05

DenisChenu

Details Diff
Fixed issue 15221: unable to send mail to participants - apache handler error 403
Dev: security must check only user request
Dev: fix invalid sid param in quota
Affected Issues
15221
mod - application/core/Survey_Common_Action.php Diff File
mod - application/views/admin/quotas/newanswer_view.php Diff File

Issue History

Date Modified Username Field Change
2019-09-04 10:17 fradeff New Issue
2019-09-04 10:28 DenisChenu Assigned To => DenisChenu
2019-09-04 10:28 DenisChenu Status new => assigned
2019-09-04 10:54 cdorin Note Added: 53409
2019-09-04 11:01 fradeff Note Added: 53410
2019-09-04 11:11 DenisChenu Changeset attached => LimeSurvey master de7707d7
2019-09-04 11:11 DenisChenu Note Added: 53411
2019-09-04 11:11 DenisChenu Resolution open => fixed
2019-09-04 11:12 DenisChenu Relationship added has duplicate 15222
2019-09-04 11:13 DenisChenu Status assigned => resolved
2019-09-04 11:13 DenisChenu Fixed in Version => 3.17.x
2019-09-04 11:15 DenisChenu Note Added: 53414
2019-09-04 11:16 DenisChenu Priority none => urgent
2019-09-04 11:18 fradeff Note Added: 53415
2019-09-04 11:29 DenisChenu Note Added: 53416
2019-09-04 11:30 DenisChenu Note Added: 53417
2019-09-04 16:15 Aurore Note Added: 53428
2019-09-04 16:16 cdorin Note Added: 53429
2019-09-04 16:17 cdorin Note Edited: 53429 View Revisions
2019-09-04 16:21 Aurore Note Added: 53430
2019-09-04 16:33 DenisChenu Note Added: 53432
2019-09-05 18:23 DenisChenu Relationship added has duplicate 15236
2019-09-06 10:47 lime_release_bot Note Added: 53492
2019-09-06 10:47 lime_release_bot Status resolved => closed