View Issue Details

This bug affects 1 person(s).
 266
IDProjectCategoryView StatusLast Update
17322Bug reportsSecuritypublic2021-07-12 12:41
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityminor 
Status assignedResolutionopen 
Product Version3.25.20 
Summary17322: Need different time and count for lock out access for token VS admin user
DescriptionSince Brute-force attack with tokens to enter survey is possible : https://bugs.limesurvey.org/view.php?id=15239

We use same settings for lock out token and klock out admin.

But
1. Way of give access is totally different : username+userpass VS random character
2. Right after access is totally different : whole DB and data with admin, only a single user data with token
Steps To Reproduce?
Additional Informationtoken : bot access : 1 seconds after 3 try is the best
admin : 10 minutes is really better
TagsNo tags attached.
Bug heat266
Complete LimeSurvey version number (& build)3.27.0
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database & DB-Versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 17323 new Feature requests Captchas have no non-visual alternative 

Users monitoring this issue

User List There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-05-25 12:38

developer   ~64532

I can fix it (freely), it's an easy **needed** fix
galads

galads

2021-06-18 10:31

administrator   ~64951

A fix for "Brute-force attack with tokens to enter survey" is already provided and there is a delay when the token is entered incorrectly several times.
Or maybe I misunderstand the fix you want to provide?
DenisChenu

DenisChenu

2021-06-18 10:55

developer   ~64952

We use same time for Admin user and token user. BUT : it's a totally different attack.

yes : there are a Brute force : but it use the same time and try than admin user.

Admin user brute force attack can use
- "social attack" : birthday, childrens name
- other powned password for same user
- password rainbow table

Token user can only be automatic caracters : randomly chooisen

Else : the right give are really more dangerous
- Admin user : All database of all user of all survey
- token user : one user information on one survey

The 1st issue is to use the same system for a totally different concept. If you can not understand this : i can not explain more.
galads

galads

2021-06-22 16:07

administrator   ~64979

I understand this absolutely fine but this sounds like a feature request and not a bug. Please create a PR and I will take it up from there
DenisChenu

DenisChenu

2021-06-22 16:23

developer   ~64981

But : this issue was introduced in a https://github.com/LimeSurvey/LimeSurvey/blob/0b24642017090b0a16f867ab7c10c9d73f5629d7/docs/release_notes.txt#L214

in 3.X when new feature is forbidden … then ?

Can i fix it for 3.X or not ?
c_schmitz

c_schmitz

2021-07-12 11:56

administrator   ~65371

yes, you can.

Issue History

Date Modified Username Field Change
2021-05-25 12:38 DenisChenu New Issue
2021-05-25 12:38 DenisChenu Note Added: 64532
2021-05-25 13:50 DenisChenu Relationship added related to 17323
2021-06-18 10:31 galads Note Added: 64951
2021-06-18 10:32 galads Assigned To => galads
2021-06-18 10:32 galads Status new => feedback
2021-06-18 10:55 DenisChenu Note Added: 64952
2021-06-18 10:55 DenisChenu Status feedback => assigned
2021-06-22 16:07 galads Note Added: 64979
2021-06-22 16:08 galads Assigned To galads => DenisChenu
2021-06-22 16:08 galads Status assigned => feedback
2021-06-22 16:08 galads Status feedback => assigned
2021-06-22 16:23 DenisChenu Note Added: 64981
2021-07-12 11:56 c_schmitz Note Added: 65371
2021-07-12 12:41 galads Status assigned => confirmed
2021-07-12 12:41 galads Status confirmed => assigned