View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
17349Bug reportsSecuritypublic2021-07-20 12:49
Reporteralorenc Assigned Toollehar  
PrioritynoneSeverityminor 
Status closedResolutionno change required 
Product Version3.25.19 
Summary17349: Autocomplete is not disabled in the password field.
Description

We detected that password fields do not have autocomplete turned off:

  • login form to the admin panel
  • token entry form when entering the survey

Detected on v3.25.19
Confirmed on v3.27.1

TagsNo tags attached.
Bug heat258
Complete LimeSurvey version number (& build)v3.27.1+210531
I will donate to the project if issue is resolvedNo
BrowserChrome v91.0.4472.77
Database type & versionSQL Server 2019
Server OS (if known)
Webserver software & version (if known)
PHP Versionv7.4.15 NTS x64

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-06-02 16:51

developer   ~64716

Not a bug !
And really it's a security issue to disable save password in browser

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

ollehar

ollehar

2021-06-02 18:11

administrator   ~64720

Does not HTML5 support password tags to disable autocompletion?

DenisChenu

DenisChenu

2021-06-02 19:01

developer   ~64723

And ?

Still an issue to disable autocompletion on login form, the security issue is to hack browser to disallow save of password.

ollehar

ollehar

2021-06-02 19:03

administrator   ~64724

@alorenc Are you using one browser for multiple participants? Why is this an issue?

DenisChenu

DenisChenu

2021-06-02 19:22

developer   ~64725

Eventually by option for token, but it's easy to do in theme

alorenc

alorenc

2021-06-04 10:46

reporter   ~64734

@DenisChenu
The easiest way is to transfer the responsibility to the application client. In practice, we know that this does not always work, the end user does not need to know how to do it and that they should do it.

@ollehar
The application should be able to protect the user from unauthorized access to his account. And the lack of an auto-complete option makes it possible, especially in places where many people use the same computer (browser)

DenisChenu

DenisChenu

2021-06-04 10:54

developer   ~64735

It's a security issue to disable autocomplete on login form.
Simple and clear !

You read the link i put :

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

About token : ok, it can be seen as a not login form, but a login form with user + pass have to allow autocopmlete.

If you're not happy with this : open an issue at mozilla and chrome.

c_schmitz

c_schmitz

2021-07-12 15:15

administrator   ~65382

When you look at https://caniuse.com/?search=autocomplete you can see that most browsers are ignoring this anyway in favor of their own login systems.
I'd vote for this to be a non-issue.

alorenc

alorenc

2021-07-13 09:24

reporter   ~65414

From the point of view of our client, this is a problem, especially in the context of a corporation whose employees use surveys from different browsers in different places. Therefore, we had to ensure all precautions against unauthorized access to the surveys, which in the current version of Lime 3.x occurs when the token of the survey participant is intercepted.

We used proprietary solutions with the help of plugins and changes in the architecture of the project environment. This allowed us to work around the reported problem.

DenisChenu

DenisChenu

2021-07-13 09:41

developer   ~65415

Therefore, we had to ensure all precautions against unauthorized access to the surveys, which in the current version of Lime 3.x occurs when the token of the survey participant is intercepted.

For token it can be easily updated via theme !
https://github.com/LimeSurvey/LimeSurvey/blob/c73ee5f8bec83a5369e209fa35f74ee340dcec64/themes/survey/vanilla/views/subviews/logincomponents/token.twig#L32

Then : it's really not an issue ....

alorenc

alorenc

2021-07-19 09:21

reporter   ~65504

In this arrangement, the topic can be closed. I think we have exhausted the pros/cons of autocomplete ;)

Issue History

Date Modified Username Field Change
2021-06-02 16:35 alorenc New Issue
2021-06-02 16:51 DenisChenu Note Added: 64716
2021-06-02 18:11 ollehar Note Added: 64720
2021-06-02 18:32 ollehar Assigned To => ollehar
2021-06-02 18:32 ollehar Status new => feedback
2021-06-02 19:01 DenisChenu Note Added: 64723
2021-06-02 19:03 ollehar Note Added: 64724
2021-06-02 19:22 DenisChenu Note Added: 64725
2021-06-04 10:46 alorenc Note Added: 64734
2021-06-04 10:46 alorenc Status feedback => assigned
2021-06-04 10:54 DenisChenu Note Added: 64735
2021-07-12 15:15 c_schmitz Note Added: 65382
2021-07-13 09:24 alorenc Note Added: 65414
2021-07-13 09:41 DenisChenu Note Added: 65415
2021-07-19 09:21 alorenc Note Added: 65504
2021-07-20 12:49 ollehar Status assigned => closed
2021-07-20 12:49 ollehar Resolution open => no change required