Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Captcha request before token check

  • johnmoore
  • johnmoore's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
7 years 7 months ago #140080 by johnmoore
Captcha request before token check was created by johnmoore
Dear Forum,

I'm implementing a private survey with token (user/password) before accessing the questions.
We have added the LimeSurvey captcha to avoid brute-force attack.

After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.

Thus, a brute-force attack would be possible as a list of valid token can be obtained without captcha intervention.

How could we enforce to check the captcha before checking the token against the database, so we can avoid a brute-force attack?

Thanks for your support.

Regards,
The topic has been locked.
More
4 years 11 months ago #182584 by jelo
Replied by jelo on topic Captcha request before token check
Open a feature request. LimeSurvey should saving token access with wrong tokens into a logfile (e.g. failedtoken.log), which than could be access via fail2ban or other blocking tools (CSF/LFD) to block on IP-level.

A tool inside LimeSurvey would be fine too. The auditlog might be included too.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 11 months ago - 4 years 11 months ago #182600 by DenisChenu
Replied by DenisChenu on topic Captcha request before token check

johnmoore wrote: After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.

This must be reported as a bug , not a feature request.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Last edit: 4 years 11 months ago by DenisChenu.
The topic has been locked.
More
4 years 11 months ago #182610 by jelo
Replied by jelo on topic Captcha request before token check
My answer was for a different thread. Sorry.
www.limesurvey.org/forum/design-issues/1...lt-in-captcha#182599

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
4 years 11 months ago #182625 by DenisChenu
Replied by DenisChenu on topic Captcha request before token check
But still an issue : catpcha check must happen before token check : this is the issue.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose