View Issue Details

IDProjectCategoryView StatusLast Update
16821Bug reportsSurvey takingpublic2021-03-08 19:35
Reporteruibklime1 Assigned Toc_schmitz  
PrioritynormalSeverityblock 
Status closedResolutionfixed 
Product Version3.22.4 
Fixed in Version3.25.17 
Summary16821: Save-survey passwords leaked in URL and emails
DescriptionThe "save-survey" function creates a critical security vulnerability, potentially exposing personal passwords of ordinary survey-takers.

First, recognize that self-hosted surveys are often hosted under the same domains of survey takers. Second, recognize that modern browsers increasingly attempt to autofill usernames and passwords in conjunction with anything on a form page that looked like a username or password.

The save-function on a survey prompts the user for a username, password, and email address. In most use-cases, the user will be prompted by the browser to submit an already existing password which is valid for the same domain. This password is then (1) passed plaintext (via POST) to the server, (2) stored for a period of time in the survey database, (3) sent to the user's email address (without email verification, thus possibly bouncing to an admin or worse -- see issue 9606), (4) in plaintext of the URL which is saved in the logs.

If I could SCREAM about this, I would.
TagsNo tags attached.
Complete LimeSurvey version number (& build)3.22.4+200212
I will donate to the project if issue is resolvedNo
Browserall
Database & DB-Versionmysql 5.7
Server OS (if known)CentOS 7.8
Webserver software & version (if known)Apache 2.4
PHP VersionPHP 7.3

Activities

c_schmitz

c_schmitz

2021-03-05 16:47

administrator   ~62790

Sorry, we are not trying to make you scream. This will be fixed in the next version.
One thing though: We do not save passwords in the database, just hashes.

Issue History

Date Modified Username Field Change
2020-11-05 14:24 uibklime1 New Issue
2020-12-23 18:51 cdorin Priority none => normal
2020-12-23 18:51 cdorin Status new => confirmed
2021-03-05 16:47 c_schmitz Assigned To => c_schmitz
2021-03-05 16:47 c_schmitz Status confirmed => resolved
2021-03-05 16:47 c_schmitz Resolution open => fixed
2021-03-05 16:47 c_schmitz Note Added: 62790
2021-03-08 19:35 c_schmitz Fixed in Version => 3.25.17
2021-03-08 19:35 c_schmitz Status resolved => closed