View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
19492 | Bug reports | Security | public | 2024-03-21 13:25 | 2024-03-21 15:40 |
Reporter | LDBV | Assigned To | |||
Priority | none | Severity | minor | ||
Status | new | Resolution | open | ||
Product Version | 6.4.x | ||||
Summary | 19492: Different minimum password requirements inside and outside of LimeSurvey | ||||
Description | Greetings, we had a Pen-Test for our LimeSurvey V6 Server. The testers have found several critical security problems (we open different bug report tickets). When you have forgotten your password and ask LimeSurvey for an new password, you get an mail with a link to change your password. This password change link has different minimal password requirements (min 8 characters, min.1 number, min. 1 capital letter) compared to the password change function inside of LimeSurvey (our stricter settings are min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character). Dr. Minke (Survey-Consulting) told us, that there is no way to change the settings (min 8 characters, min.1 number, min. 1 capital letter) of the "external" password change screen. The "external" password change screen should Thank you. | ||||
Steps To Reproduce | In the LogIn screen you click on "Forgot password?". The "external" password change screen opens and only wants the password to have min 8 characters, min.1 number, min. 1 capital letter. Our stricter specified minimum password settings are ignored (min. 10 characters, min. 1 number, min. 1 capital letter, min. 1 special character). The "internal" password change screen of LimeSurvey V6 (username - account - change password) correctly uses our stricter specified minimum password settings. Both password change screens should use the same admin user specified password settings. | ||||
Tags | No tags attached. | ||||
Bug heat | 258 | ||||
Complete LimeSurvey version number (& build) | both 6.4.6+240212 and 6.5.0+240319 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Regardless of the browser | ||||
Database type & version | MySQL 8.0.36 | ||||
Server OS (if known) | SLES 15.5 | ||||
Webserver software & version (if known) | Apache 2.4.51 | ||||
PHP Version | PHP 8.0.30 | ||||