View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
16821 | Bug reports | Survey taking | public | 2020-11-05 14:24 | 2021-03-08 19:35 |
Reporter | uibklime1 | Assigned To | c_schmitz | ||
Priority | normal | Severity | block | ||
Status | closed | Resolution | fixed | ||
Product Version | 3.22.4 | ||||
Fixed in Version | 3.25.17 | ||||
Summary | 16821: Save-survey passwords leaked in URL and emails | ||||
Description | The "save-survey" function creates a critical security vulnerability, potentially exposing personal passwords of ordinary survey-takers. First, recognize that self-hosted surveys are often hosted under the same domains of survey takers. Second, recognize that modern browsers increasingly attempt to autofill usernames and passwords in conjunction with anything on a form page that looked like a username or password. The save-function on a survey prompts the user for a username, password, and email address. In most use-cases, the user will be prompted by the browser to submit an already existing password which is valid for the same domain. This password is then (1) passed plaintext (via POST) to the server, (2) stored for a period of time in the survey database, (3) sent to the user's email address (without email verification, thus possibly bouncing to an admin or worse -- see issue 9606), (4) in plaintext of the URL which is saved in the logs. If I could SCREAM about this, I would. | ||||
Tags | No tags attached. | ||||
Bug heat | 2 | ||||
Complete LimeSurvey version number (& build) | 3.22.4+200212 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | all | ||||
Database type & version | mysql 5.7 | ||||
Server OS (if known) | CentOS 7.8 | ||||
Webserver software & version (if known) | Apache 2.4 | ||||
PHP Version | PHP 7.3 | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2020-11-05 14:24 | uibklime1 | New Issue | |
2020-12-23 18:51 | cdorin | Priority | none => normal |
2020-12-23 18:51 | cdorin | Status | new => confirmed |
2020-12-23 18:51 | cdorin | Sync to Zoho Project | => |Yes| |
2021-03-05 16:47 | c_schmitz | Assigned To | => c_schmitz |
2021-03-05 16:47 | c_schmitz | Status | confirmed => resolved |
2021-03-05 16:47 | c_schmitz | Resolution | open => fixed |
2021-03-05 16:47 | c_schmitz | Note Added: 62790 | |
2021-03-08 19:35 | c_schmitz | Fixed in Version | => 3.25.17 |
2021-03-08 19:35 | c_schmitz | Status | resolved => closed |