General security issues

More
2 weeks 6 days ago #170385 by r0bis
r0bis created the topic: General security issues
I am trying to introduce limesurvey in a large healthcare organisation to hold (at least initially) anonymised non-confidential data. Patient satisfaction surveys, educational events feedback etc. In making a business case I need to evaluate risks.

What could I say about limesurvey security?

I plan initially to run it on an LAMP virtual machine in company's DMZ as I have experience running it on my machine and hosted on a generic hosting account, but later they may want to put it on their main web server. I need to have JSON-RPC enabled - I will be using R (cloudyr/limer) for creation of reports.

So far I know only that there are security updates and there is a mechanism for cross-site scripting detection.

It would be very useful if I could get some information about how limesurvey team plan for and address any security issues. Perhaps security policy? And maybe, if there is information on that, how other organisations that use limesurvey have been satisfied with security or addressed any security issues.

Many thanks,

Rob

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago #170393 by LouisGac
LouisGac replied the topic: General security issues
Well LimeSurvey is used by a lot of institutions, and many security companies scan LS code and report any issue they found. We fix the issues as soon as they are reported and we release immediately after that. Those release are tagged as "security release" and shown as security update in the comfortUpdate.
The following user(s) said Thank You: r0bis

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago #170396 by r0bis
r0bis replied the topic: General security issues
Thanks, that is very helpful. What kind of security companies scan LS code? Maybe some examples, or references to the process? Are they security research companies? I am asking because of my ignorance, I thought why would a company scan other party's code for vulnerabilities. Many thanks.

Please Log in or Create an account to join the conversation.

More
2 weeks 6 days ago - 2 weeks 6 days ago #170406 by LouisGac
LouisGac replied the topic: General security issues
well, here a recent exemple:
www.limesurvey.org/about-us/news/2075-li...ity-advisory-02-2018


If you have a clone of LimeSurvey git repo you can do:
$ git log --all --grep="\[security\]"

to see all the security commit.

For example:
github.com/LimeSurvey/LimeSurvey/commit/...b78c92e1810a2f9705d7

As you can see we credit the company that report security issue.
In this commit: reported by Dr. Erlijn van Genuchten & Manuel Stotz (SySS GmbH)
Last Edit: 2 weeks 6 days ago by LouisGac.
The following user(s) said Thank You: r0bis

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!