View Issue Details

IDProjectCategoryView StatusLast Update
09373Feature requests[All Projects] Securitypublic2018-12-04 16:03
ReporterhtwsaarAssigned To 
PrioritynormalSeverityfeature 
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary09373: Prevent people from login into administration from everywhere
Description

It would be great for security reasons if the administration view could be hid from people outside - or the other way round - one could set individual IP addresses, IP ranges, DNS names, or parts of DNS names (like *.mydomain.tld) that are allowed to get access to the admin view.

The German Office for data security wants us to do so.

.htaccess is not the way.

TagsNo tags attached.

Activities

DenisChenu

DenisChenu

2014-11-26 10:58

developer   ~31101

Last edited: 2014-11-26 11:00

View 3 revisions

And why .htaccess is not the way ?

I really think it must be done via htaccess or external plugin, not in LS core.

PS: try with beforeLogin event : http://manual.limesurvey.org/BeforeLogin#beforeLogin

PS: restrict by IP is not a security .... you don't know IP spoofing ?

htwsaar

htwsaar

2014-11-26 18:02

reporter   ~31111

.htaccess doesn't prevent someone from login in to the admin area from outside your LAN, actually!

This just keeps people from getting the index file from example.tld/admin/ directory.

If someone knows that this will be reinterpreted to http://example.tld/index.php/admin/authentication/sa/login instantly, he can still log in to your limesurvey administration.

This isn't better than .htaccess in the ../admin/ folder with 'deny all'.

I know IP spoofing. but no one will be able to pretend using a just local usable RFC address from the outside. This address will not be routed.

Therefor IP filter is a propriate way to secure against attempts from outside.

How does the 'beforeLogin' work? I'm no php developer.
Would be fine if that would be part of the Administration GUI.

DenisChenu

DenisChenu

2014-11-26 18:34

developer   ~31112

With htaccess and rewrite condition:
RewriteCond %(REMOTE_ADDR) !^192.168.0
RewriteCond %{REQUEST_URI} admin
RewriteRule .* index.php

Not tested

Usage of plugin:
beforeLogin : https://gitorious.org/ls-authwpbydb/ls-authwpbydb/source/e7f52e2ac206333ba5fc79bc2ecd3a8b79d3bf96:AuthWPbyDB.php#L96
You can surely use a redirect here or throw a 401 error.

If you need help for PHP dev: http://www.limesurvey.com/

htwsaar

htwsaar

2014-11-26 18:54

reporter   ~31113

While LS uses the same index.php for all reasons, by usage of .htaccess you will keep everyone from outside using everything in LS (also surveys).
Thats not what most of users want.

I looked through your wordpress login script but I cants see how I would find out the remote IP address and filter it.

Could you explain?

Thank you.

htwsaar

htwsaar

2014-11-26 18:56

reporter   ~31114

Oops, forgot to mention:

RewriteCond isn't allowed on our webserver.

DenisChenu

DenisChenu

2014-11-26 19:33

developer   ~31115

Please : http://www.giyf.com/ : php find remote IP address

ANd again : need PHP dev for LimeSurvey : http://www.limesurvey.com/

htwsaar

htwsaar

2014-12-04 12:44

reporter   ~31164

I found a way that fits my requirements for now.

My solution is made with php. I just need to check the changes after every update.

For my opinion it still would be greate if that option would come into the standard GUI to set easyly for everyone.

jelo

jelo

2014-12-05 17:35

updater   ~31184

To disable the "password forgotten" lnk function would be a good idea too.
When we talk about spoofing we have to think about sniffing too.

Mazi

Mazi

2018-12-03 17:20

developer   ~49861

@htwsaar, can you outline your solution in more details so others can benefit from it as well?

htwsaar

htwsaar

2018-12-04 11:02

reporter   ~49873

Here is the simple way I did it:

You need to change your /application/controllers/admin/authentication.php
using the following lines (i.e.):

$IPRANGE = substr ($_SERVER['REMOTE_ADDR'],0,7);
switch ($IPRANGE) {
case "XXX.XX.":
break;
case "YYY.YY.":
break;
default:
die ('Administrative GUI only available within the local network!<br />');
}

where XXX.XX. and YYY.YY. are the first characters of your internal IP-ranges (LANs).
If you have just 1 LAN (like 192.168.xxx.xxx) just use one case. If you have more, use more.

Caution: Check authentication.php after every update if it got exchanged by the update. You may have to customize it again.

Mazi

Mazi

2018-12-04 11:08

developer   ~49874

@htwsaar: Thanks a lot for your feedback!

Just a short recommendation: When switching to a newer Limesurvey versions it makes sense to create a plugin for such features. That way you are future safe when updating later and do not have to edit the source code files.

htwsaar

htwsaar

2018-12-04 11:12

reporter   ~49875

@Mazi: Thanks for that idea with a plugin.
Actually I don't know about plugins. How would I manage that? Is there au manual on how to use plugins?

DenisChenu

DenisChenu

2018-12-04 11:56

developer   ~49876

See https://gitlab.com/SondagesPro/ExportAndStats/quickStatAdminParticipationAndStat/blob/master/quickStatAdminParticipationAndStat.php#L428

For a simple example of action done only for admin page

htwsaar

htwsaar

2018-12-04 14:43

reporter   ~49878

@DenisChenu. For my opinion this is not what we wanted to have as result.
We don't want people from outside the LAN (IP based) to be able to see the admin login page and log in.

DenisChenu

DenisChenu

2018-12-04 16:03

developer   ~49880

I only give sample …

    public function beforeControllerAction()
    {
        if(($this->event->get('controller')=='admin' && $this->event->get('action')!='authentication'))
        {
            if(!$this->_yourFunctionToTest() {
                Yii::app()->controller->redirect(array('surveys/index');
            }
        }
    }

I don't say : do it like this …

Issue History

Date Modified Username Field Change
2014-11-25 16:34 htwsaar New Issue
2014-11-26 10:58 DenisChenu Note Added: 31101
2014-11-26 10:59 DenisChenu Note Edited: 31101 View Revisions
2014-11-26 11:00 DenisChenu Note Edited: 31101 View Revisions
2014-11-26 18:02 htwsaar Note Added: 31111
2014-11-26 18:34 DenisChenu Note Added: 31112
2014-11-26 18:54 htwsaar Note Added: 31113
2014-11-26 18:56 htwsaar Note Added: 31114
2014-11-26 19:33 DenisChenu Note Added: 31115
2014-12-04 12:44 htwsaar Note Added: 31164
2014-12-05 17:35 jelo Note Added: 31184
2018-12-03 17:20 Mazi Note Added: 49861
2018-12-04 11:02 htwsaar Note Added: 49873
2018-12-04 11:08 Mazi Note Added: 49874
2018-12-04 11:12 htwsaar Note Added: 49875
2018-12-04 11:56 DenisChenu Note Added: 49876
2018-12-04 14:43 htwsaar Note Added: 49878
2018-12-04 16:03 DenisChenu Note Added: 49880