View Issue Details

This bug affects 3 person(s).
 28
IDProjectCategoryView StatusLast Update
17695Bug reportsAuthenticationpublic2023-02-14 15:56
ReportersdsAdm1n Assigned Togabrieljenik  
PrioritynoneSeveritypartial_block 
Status closedResolutionduplicate 
Product Version5.x 
Summary17695: Exceeding the number of maximum access code validation attempts
Description

for one survey, if a participant provided a wrong token five times, a message showing "You have exceeded the number of maximum access code validation attempts. Please wait 10 minutes before trying again" appears and accordingly all participants for all active surveys became unable to access the surveys until the 10 minutes waiting time finish. not only the survey participants, but also admin users can't sign in until waiting time get finish.

Similarly, if an admin user provided 3 wrong password attempts, all other users should wait 10 minutes to access. the rule should be applied to that particular user only not to all users. also, when this issue happened, survey participants will see a message saying please wait 10 minutes before trying again. however, if they provide a right token number, they will be able to access.

Steps To Reproduce

Steps to reproduce

Activate token-based survey.
Call the token prompt screen.
Provide wrong token number five times.

Expected result

Access should be denied on that survey only and for that participant only (through ip address for example)

Actual result

LS Access denied for all participants of all surveys as well as for admin users until after 10 minutes.

TagsNo tags attached.
Attached Files
AdminScreen.png (48,197 bytes)   
AdminScreen.png (48,197 bytes)   
TokenScreen.png (34,242 bytes)   
TokenScreen.png (34,242 bytes)   
Bug heat28
Complete LimeSurvey version number (& build)5.0.5+210621
I will donate to the project if issue is resolvedNo
BrowserChrome
Database type & versionMS SQL Server 2016
Server OS (if known)Win Server 2019
Webserver software & version (if known)IIS 10
PHP Version7.4

Relationships

related to 17322 closedpstelling Need different time and count for lock out access for token VS admin user 

Users monitoring this issue

medhat, tassoman

Activities

DenisChenu

DenisChenu

2021-11-04 10:47

developer   ~67109

Last edited: 2021-11-04 10:47

Hi,
Currently stay in IP block seems the only solution (except with big big update).

See feature https://bugs.limesurvey.org/view.php?id=17322

token : bot access : 1 seconds after 3 try is the best
admin : 10 minutes is really better

Do you think it's OK ?

DenisChenu

DenisChenu

2021-11-04 10:48

developer   ~67110

Need the " that survey only" part more.

medhat

medhat

2021-11-08 05:57

reporter   ~67152

I totally agree Denis, it should block from the specific IP only.
This is a big problem as anybody can hack the survey by entering a wrong token few times and Voila, nobody will be able to participate!!

DenisChenu

DenisChenu

2021-11-08 08:52

developer   ~67162

@medhat : we can not block "THIS" token only .

My opinion

  1. different time and count for lock out access for token VS admin user : IP block
  2. Add survey id for token user (disable access for this IP for this survey, not other survey) : ?
  3. Add admin user block by username
tassoman

tassoman

2022-02-18 14:52

reporter   ~68324

I'm using 3.x version behind a reverse proxy and behind kubernetes.
The feature is blacklisting the proxy's address. If you're simply using $_SERVER['REMOTE_HOST'] that's not enough.
You should have care of the address $_SERVER['HTTP_X_FORWARDED_FOR'] also.
My blocked IP is the kubernetes service.

tassoman

tassoman

2022-02-18 17:21

reporter   ~68328

HTTP_X_FORWARDED_FOR can be a comma separated list of IPv4 addresses.
The least forwarded should be on the left.

https://github.com/LimeSurvey/LimeSurvey/blob/7b9e6711e1e673522247905f4d1d3fa199e57da1/application/helpers/common_helper.php#L4646

Maybe I can post a patch on this. Do you accept github Pull requests?

More, on this, I would say the IP address can be easily faked with crafted http requests from an attacker. I wouldn't pay so much attention on this.

tassoman

tassoman

2022-02-18 17:29

reporter   ~68330

I'm going to file my issues inside 17322
(sorry for cross-posting)

DenisChenu

DenisChenu

2022-02-18 17:31

developer   ~68331

Maybe I can post a patch on this. Do you accept github Pull requests?

Yes, always

More, on this, I would say the IP address can be easily faked with crafted http requests from an attacker.

yes complex solution, but even solution based on fail2ban have such issue …

gabrieljenik

gabrieljenik

2022-04-22 14:51

manager   ~69193

As per the comments, will be closing the ticket.
Seems it was already fixed on 17322.

Please add any comments in case it should be reopened.
Thanks

sdsAdm1n

sdsAdm1n

2022-05-11 12:31

reporter   ~69575

@gabrieljenik the the fix is applied for LS version 3, but we are facing the issue on LS version 5. any commendations?

sdsAdm1n

sdsAdm1n

2022-05-11 12:40

reporter   ~69576

please ignore my last comment. i have version 5.3.8+220404 and I can see the new features under Global settings to control the behavior. will check on that.
Thanks

MSouad

MSouad

2023-02-14 15:31

manager   ~73820

a user just reported this same bug.
Survey's users get blocked for 10min after entering a wrong code 3 or 5 times. Even admin is blocked
survey URL: https://graz.limequery.com/618972?lang=de
LimeSurvey cloud version:5.6.4

10min.png (14,208 bytes)   
10min.png (14,208 bytes)   
DenisChenu

DenisChenu

2023-02-14 15:56

developer   ~73821

@MSouad : please contact support@limesurvey.org too.

Issue History

Date Modified Username Field Change
2021-11-04 09:23 sdsAdm1n New Issue
2021-11-04 09:23 sdsAdm1n File Added: AdminScreen.png
2021-11-04 09:23 sdsAdm1n File Added: TokenScreen.png
2021-11-04 10:45 DenisChenu Relationship added related to 17322
2021-11-04 10:47 DenisChenu Note Added: 67109
2021-11-04 10:47 DenisChenu Bug heat 0 => 2
2021-11-04 10:47 DenisChenu Note Edited: 67109
2021-11-04 10:48 DenisChenu Note Added: 67110
2021-11-08 05:51 medhat Issue Monitored: medhat
2021-11-08 05:51 medhat Bug heat 2 => 4
2021-11-08 05:57 medhat Note Added: 67152
2021-11-08 05:57 medhat Bug heat 4 => 6
2021-11-08 05:57 guest Bug heat 6 => 12
2021-11-08 08:52 DenisChenu Note Added: 67162
2022-01-03 17:05 DenisChenu Category Accessibility => Authentication
2022-01-03 17:05 DenisChenu Description Updated
2022-01-03 17:05 DenisChenu Steps to Reproduce Updated
2022-02-18 14:52 tassoman Note Added: 68324
2022-02-18 14:52 tassoman Bug heat 12 => 14
2022-02-18 14:55 tassoman Issue Monitored: tassoman
2022-02-18 14:55 tassoman Bug heat 14 => 16
2022-02-18 17:15 DenisChenu Bug heat 16 => 22
2022-02-18 17:21 tassoman Note Added: 68328
2022-02-18 17:29 tassoman Note Added: 68330
2022-02-18 17:31 DenisChenu Note Added: 68331
2022-04-22 14:51 gabrieljenik Assigned To => gabrieljenik
2022-04-22 14:51 gabrieljenik Status new => closed
2022-04-22 14:51 gabrieljenik Resolution open => fixed
2022-04-22 14:51 gabrieljenik Note Added: 69193
2022-04-22 14:51 gabrieljenik Bug heat 22 => 24
2022-04-22 14:52 gabrieljenik Resolution fixed => duplicate
2022-05-11 12:31 sdsAdm1n Note Added: 69575
2022-05-11 12:31 sdsAdm1n Bug heat 24 => 26
2022-05-11 12:40 sdsAdm1n Note Added: 69576
2023-02-14 15:31 MSouad Note Added: 73820
2023-02-14 15:31 MSouad File Added: 10min.png
2023-02-14 15:31 MSouad Bug heat 26 => 28
2023-02-14 15:56 DenisChenu Note Added: 73821