View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 250
IDProjectCategoryView StatusDate SubmittedLast Update
09219Bug reportsSecuritypublic2014-09-08 21:352015-01-03 19:50
Reportersykano Assigned Tomdekker  
PrioritynormalSeveritypartial_block 
Status closedResolutionduplicate 
Product Version2.05+ 
Summary09219: blocked LDAP users can use "forgot password" to login locally -> security issue
Description

Since LDAP users are internally normal user accounts in Limesurvey, a user whose account is blocked in the central AD can manage to login by getting a password for the local login via the "forgot password" function.
In case of mail access being also blocked (which should be normal), it is still possible by obtaining the local password in advance.

This is a security issue! It can undermine company security policies!

Also, note that local login can't be deactivated. But that wouldn't be enough to fix the issue, sometimes you might need the local login.

Steps To Reproduce
  • have Limesurvey and an central LDAP server configured properly
  • either use HTTP Auth Autocreate or manually create an account for an user that is in LDAP
  • enable LDAP login
  • LDAP login should work now
  • use "forgot password" to get local password by mail
  • block user in AD
  • LDAP login doesn't work now
  • login at local login with obtained password
Additional Information

I suggest to internally distinguish user accounts that are LDAP user accounts from normal local user accounts.
Or make it possible to forbid user accounts to login locally (and getting a local password by mail) and use that mechanism for LDAP users.

As a side note I also like to suggest to make it possible to deactivate the local login.

TagsNo tags attached.
Bug heat250
Complete LimeSurvey version number (& build)buidl 20140703
I will donate to the project if issue is resolvedNo
BrowserFirefox, Chrome
Database type & versionmysql 5.1.73
Server OS (if known)Linux (CentOS 6.5)
Webserver software & version (if known)apache 2.2.15
PHP Version5.3.3

Relationships

Relationship GraphDependency Graph
duplicate of 08865 closedaesteban Bug reports User not in LDAP or in WebServer can log again 

Users monitoring this issue

There are no users monitoring this issue.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2014-09-08 21:35 sykano New Issue
2014-09-09 12:12 DenisChenu Relationship added duplicate of 08865
2014-09-09 12:12 DenisChenu Status new => closed
2014-09-09 12:12 DenisChenu Assigned To => mdekker
2014-09-09 12:12 DenisChenu Resolution open => duplicate