View Issue Details

Jump to NotesJump to History
This issue affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
17384Bug reportsSecuritypublic2021-06-22 17:032021-07-08 11:13
Reporterbcanova Assigned To 
PrioritynoneSeverityminor 
Status closedResolutionopen 
Product Version3.25.20 
Summary17384: Web application does not restrict browser storage of passwords
Description

Inspection of application communications reveals that the AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input on the administrator login page. Passwords may be stored in browsers and retrieved after a session terminates. Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported and used on other workstation providing immediate unauthorized access to the application.

Additional Information

Configure the application to require the user to manually enter their credentials prior to each session. Disable the AUTOCOMPLETE attribute in any HTML forms or individual input elements containing passwords. For example, AUTOCOMPLETE="OFF".

TagsNo tags attached.
Attached Files
image.png (3,594 bytes)   
image.png (3,594 bytes)   
image-2.png (20,396 bytes)   
image-2.png (20,396 bytes)   
image-3.png (10,588 bytes)   
image-3.png (10,588 bytes)   
Bug heat256
Complete LimeSurvey version number (& build)3.27.4
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMyQL 5.5.9
Server OS (if known)CentOS 7
Webserver software & version (if known)
PHP Version7.2.5

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-06-22 17:07

developer   ~64989

THIS IS NOT AN ISSUE !

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields

Disable save password is a SECURITY issue !
ollehar

ollehar

2021-06-24 09:25

administrator   ~65037

What are you saying, Denis? It is or isn't?
DenisChenu

DenisChenu

2021-06-24 09:32

developer   ~65038

We have a lot of issue reported about "autocomplete=off"

But : this is NOT a security issue : read the link

Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.

Maybe we can disable it in token form : because it's not really a password. And in config (smtp and imap password ) : but it's already done if i don't make error.

Automatic system for tracking security giving bad advice … this is really a good tool ?
galads

galads

2021-07-08 10:50

reporter   ~65255

I agree with @DenisChenu this is not a security issue. You may create a feature request if this is a priority for you and we will take a look at it. I will close this report.
galads

galads

2021-07-08 10:59

reporter   ~65256

https://caniuse.com/input-autocomplete-onoff
DenisChenu

DenisChenu

2021-07-08 11:13

developer   ~65257

I open the 2 other «issue» about token and mail password.

Maybe :

Issue History

Date Modified Username Field Change
2021-06-22 17:03 bcanova New Issue
2021-06-22 17:03 bcanova File Added: image.png
2021-06-22 17:03 bcanova File Added: image-2.png
2021-06-22 17:03 bcanova File Added: image-3.png
2021-06-22 17:07 DenisChenu Note Added: 64989
2021-06-24 09:25 ollehar Note Added: 65037
2021-06-24 09:32 DenisChenu Note Added: 65038
2021-07-08 10:50 galads Note Added: 65255
2021-07-08 10:50 galads Status new => closed
2021-07-08 10:59 galads Note Added: 65256
2021-07-08 11:13 DenisChenu Note Added: 65257