View Issue Details

IDProjectCategoryView StatusLast Update
15655Bug reportsSecuritypublic2019-12-16 10:32
Reporterkclingerman Assigned Toc_schmitz  
PrioritynoneSeveritypartial_block 
Status feedbackResolutionopen 
Product Version3.21.1 
Summary15655: Special characters break passwords
Description

When trying to use a password with < in it, the string breaks at that character. For example if I have a password "C<SGBUxaCWt" set for the bounce user it will try to authenticate to the imap server with just "C" as the password.

Steps To Reproduce

Enter a password for the bounce user with < in it and read the password back out.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.21.1+191210
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version mysqlnd 5.0.12-dev - 20150407
Server OS (if known)Ubuntu 18.04.2 LTS
Webserver software & version (if known)Apache/2.4.29 (Ubuntu)
PHP Version7.2.24-0ubuntu0.18.04.1

Activities

ollehar

ollehar

2019-12-13 14:30

administrator   ~55024

Last edited: 2019-12-13 14:31

View 2 revisions

Cannot reproduce with admin user. Changed my admin password to "asd<asd", logout, login, works. More details?

kclingerman

kclingerman

2019-12-13 14:33

reporter   ~55025

Thanks for the quick response. I did not try it with a user login, I tried and experienced the bug specifically when setting the password for the bounce email account.

ollehar

ollehar

2019-12-13 14:36

administrator   ~55026

Alright.

ollehar

ollehar

2019-12-13 16:34

administrator   ~55030

@kclingerman Can you give me a screenshot of the form you used to set the password, please?

ollehar

ollehar

2019-12-13 16:53

administrator   ~55031

Looks like it's by design to strip tags. @c_schmitz, do you remember the reasoning behind this? Been there forever.

        setGlobalSetting('bounceaccountuser', strip_tags(returnGlobal('bounceaccountuser')));
ollehar

ollehar

2019-12-13 16:54

administrator   ~55032

Need to inform the user about this security measure, or change it, e.g. escape tags instead of stripping them.

Issue History

Date Modified Username Field Change
2019-12-12 19:57 kclingerman New Issue
2019-12-13 10:33 cdorin Assigned To => cdorin
2019-12-13 10:33 cdorin Status new => assigned
2019-12-13 14:19 ollehar Assigned To cdorin => ollehar
2019-12-13 14:30 ollehar Status assigned => feedback
2019-12-13 14:30 ollehar Note Added: 55024
2019-12-13 14:31 ollehar Note Edited: 55024 View Revisions
2019-12-13 14:33 kclingerman Note Added: 55025
2019-12-13 14:33 kclingerman Status feedback => assigned
2019-12-13 14:36 ollehar Note Added: 55026
2019-12-13 16:34 ollehar Note Added: 55030
2019-12-13 16:34 ollehar Status assigned => feedback
2019-12-13 16:53 ollehar Note Added: 55031
2019-12-13 16:54 ollehar Note Added: 55032
2019-12-16 10:32 c_schmitz Assigned To ollehar => c_schmitz