View Issue Details

This bug affects 1 person(s).
 8
IDProjectCategoryView StatusLast Update
17444Bug reportsResponse browsingpublic2022-05-19 20:44
Reportergalads Assigned To 
PrioritynormalSeveritypartial_block 
Status confirmedResolutionopen 
Product Version3.25.20 
Summary17444: Survey in 'all in one' mode creates response entry as soon as the survey is visited
Description

When a participant "saves and resumes later", a new entry is entered in the participant's table.

In the "Lime_save_control" a new entry is entered as expected.
When the participant "loads saved responses", a new empty entry is created (LimeSurvey{survey_id}).

Then the user is able to finish the loaded survey but the new empty entry is still available in the response table.

Attack possible in all in one survey when save and resume functionality is used

Steps To Reproduce
  1. Create a new survey (enable save and resume later).
  2. Activate the survey
  3. start the survey
  4. "save and resume later"
  5. "load saved responses"

2 entries in the response table. One empty response from the same participant.

Additional Information

Survey details: (All in one)

TagsNo tags attached.
Bug heat8
Complete LimeSurvey version number (& build)3.27.5
I will donate to the project if issue is resolvedNo
Browser
Database type & versionno relevant
Server OS (if known)
Webserver software & version (if known)
PHP Versionnot relevant

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2021-07-15 14:13

developer   ~65454

I think there are a lack of detail here : i can reproduce on a group by group survey.

Survey all in one page ? Hide welcome page ?

Because we can npot do

  1. Activate the survey
  2. "save and resume later"

Save and resume later didn't appear on welcome page.

Else i try

  1. Enter survey
  2. next
  3. Save and resume
  4. No load button, save
  5. Check : it's OK : one save + on respnse
  6. Quit browser
  7. Entre survey
  8. Load answer (previous)
  9. Save again
  10. Still have one response and one saved response.
galads

galads

2021-07-15 15:01

reporter   ~65457

Last edited: 2021-07-16 16:14

Well I did not include all steps
Of course, start the survey and then use the resume later functionality.

I added more information: It happens for "all in one" surveys

DenisChenu

DenisChenu

2021-07-15 15:04

developer   ~65458

Last edited: 2021-07-16 16:14

I think the important part are "All in one" ;)

gabrieljenik

gabrieljenik

2021-07-28 15:00

manager   ~65679

There doesn't seem to be an issue with save and resume.
I followed this steps and everything worked:

1) Created survey, with "Create example question group and question?" = "On"
2) Changed format to All-in-one
3) Activated the survey
4) Executed the survey
5) Clicked "Resume later" and completed the form
6) A message appeared: Your survey was successfully saved
7) Closed the tab
8) At that point, there is an incomplete response and also a record in saved_control.
9) Entered again with the link received by mail, and completed the saved name and password
10) Response and saved_control remain the same
11) Submit the survey
12) No record on saved_control, and only one response (now completed)

However, if you try to execute the survey with the normal link (instead of the link from the "saved" email), an empty response is saved.
But it has nothing to do with save and resume. Even if you don't save anything, everytime you execute the survey an empty response is created.
For example, if you:
1) Execute an all-in-one survey
2) Don't touch anything but refresh the page
3) A new response is created

I think this is a colateral damage.
There is no welcome screen, so the survey is started (and a response is created) as soon as the first page is presented.
Maybe we need to clear results if hitting "load previous response"?

gabrieljenik

gabrieljenik

2021-07-28 15:01

manager   ~65681

What I see here is a secruity issue.
Someone could in these conditions do an attack and save lot of empty responses.
Maybe we need to apply some limits as in the login attempts / tokens?

DenisChenu

DenisChenu

2021-07-28 15:03

developer   ~65683

There is no welcome screen, so the survey is started (and a response is created) as soon as the first page is presented.

OK ! Maybe report this one as new issue unrelated to save part ?

galads

galads

2021-07-29 17:16

reporter   ~65751

This happens when the survey link is used and not the link sent to the email. I agree with you that this is a security issue (attack with a lot of empty responses).

I will change it to "attack possible in all in one survey when save and resume functionality is used"

c_schmitz

c_schmitz

2021-08-16 09:35

administrator   ~65991

It is a general problem of the way we save the response in all-in-one mode.
It is inconvenient, but only a minor 'security' issue.
I am not sure if it can be resolved quickly - I doubt it.

Issue History

Date Modified Username Field Change
2021-07-15 13:55 galads New Issue
2021-07-15 13:55 galads Status new => assigned
2021-07-15 13:55 galads Assigned To => galads
2021-07-15 13:56 galads Status assigned => confirmed
2021-07-15 14:13 DenisChenu Note Added: 65454
2021-07-15 14:38 galads Description Updated
2021-07-15 14:38 galads Steps to Reproduce Updated
2021-07-15 14:38 galads Additional Information Updated
2021-07-15 15:01 galads Note Added: 65457
2021-07-15 15:04 DenisChenu Note Added: 65458
2021-07-16 16:06 galads Sync to Zoho Project => |Yes|
2021-07-19 17:01 galads Assigned To galads => gabrieljenik
2021-07-19 17:01 galads Priority none => high
2021-07-19 17:01 galads Reproducibility have not tried => always
2021-07-19 17:01 galads Status confirmed => assigned
2021-07-19 17:01 galads Sync to Zoho Project Yes => |Yes|
2021-07-28 15:00 gabrieljenik Note Added: 65679
2021-07-28 15:01 gabrieljenik Note Added: 65681
2021-07-28 15:03 DenisChenu Note Added: 65683
2021-07-29 17:16 galads Note Added: 65751
2021-07-29 17:23 galads Summary "save and resum later", creates a new empty entry in the response table. => "save and resum later", creates a new empty entry in the response table for "all in one" (attack possible)
2021-07-29 17:23 galads Description Updated
2021-07-29 17:23 galads Sync to Zoho Project Yes => |Yes|
2021-08-16 09:35 c_schmitz Note Added: 65991
2021-08-16 09:35 c_schmitz Bug heat 6 => 8
2021-08-16 09:36 c_schmitz Summary "save and resum later", creates a new empty entry in the response table for "all in one" (attack possible) => Survey in 'all in one' mode creates response entry as soon as the survey is visited
2021-08-16 09:36 c_schmitz Sync to Zoho Project Yes => |Yes|
2021-08-16 09:37 c_schmitz Sync to Zoho Project Yes => |Yes|
2022-05-19 20:44 c_schmitz Priority high => normal
2022-05-19 20:44 c_schmitz Assigned To gabrieljenik =>
2022-05-19 20:44 c_schmitz Status assigned => confirmed