- Posts: 1
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Captcha request before token check
- johnmoore
- Topic Author
- Offline
- New Member
Less
More
7 years 7 months ago #140080
by johnmoore
Captcha request before token check was created by johnmoore
Dear Forum,
I'm implementing a private survey with token (user/password) before accessing the questions.
We have added the LimeSurvey captcha to avoid brute-force attack.
After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.
Thus, a brute-force attack would be possible as a list of valid token can be obtained without captcha intervention.
How could we enforce to check the captcha before checking the token against the database, so we can avoid a brute-force attack?
Thanks for your support.
Regards,
I'm implementing a private survey with token (user/password) before accessing the questions.
We have added the LimeSurvey captcha to avoid brute-force attack.
After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.
Thus, a brute-force attack would be possible as a list of valid token can be obtained without captcha intervention.
How could we enforce to check the captcha before checking the token against the database, so we can avoid a brute-force attack?
Thanks for your support.
Regards,
The topic has been locked.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5070
- Thank you received: 1263
4 years 11 months ago #182584
by jelo
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic Captcha request before token check
Open a feature request. LimeSurvey should saving token access with wrong tokens into a logfile (e.g. failedtoken.log), which than could be access via fail2ban or other blocking tools (CSF/LFD) to block on IP-level.
A tool inside LimeSurvey would be fine too. The auditlog might be included too.
A tool inside LimeSurvey would be fine too. The auditlog might be included too.
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13907
- Thank you received: 2546
4 years 11 months ago - 4 years 11 months ago #182600
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Captcha request before token check
This must be reported as a bug , not a feature request.johnmoore wrote: After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 4 years 11 months ago by DenisChenu.
The topic has been locked.
- jelo
- Offline
- Platinum Member
Less
More
- Posts: 5070
- Thank you received: 1263
4 years 11 months ago #182610
by jelo
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
Replied by jelo on topic Captcha request before token check
My answer was for a different thread. Sorry.
www.limesurvey.org/forum/design-issues/1...lt-in-captcha#182599
www.limesurvey.org/forum/design-issues/1...lt-in-captcha#182599
The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13907
- Thank you received: 2546
4 years 11 months ago #182625
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Captcha request before token check
But still an issue : catpcha check must happen before token check : this is the issue.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.