Check out the LimeSurvey source code on GitHub!
Welcome, Guest
Username: Password:
  • Page:
  • 1
  • 2

TOPIC: Instructions on "Installation security hints" do not seem to apply to version 2!

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #91781

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Could someone please take a look at this issue "bugs.limesurvey.org/view.php?id=6771" - I believe the problem is still there. I have changed config.php as described under "Other security issues" ("docs.limesurvey.org/Installation+securit...tions+for+LimeSurvey") and because of that I can no longer login to admin - all I get is a blank page.

Please help - I don't want to use LimeSurvey in an insecure way!
Thanks
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #91783

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
The actual doc is for 2.0.

Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #91785

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Thanks Denis, not sure what you mean by that? I have installed the newest version of LimeSurvey yesterday and the instructions don't seem to work... perhaps it works on your server?

I tried to insert echo commands in the configreal.php (placed in a non-web directory) - I get a message if I place the echo command in the beginning of the file, I get none if I place it at the bottom. I guess that means that my modified config.php file points to my configreal.php file but somehow this file doesn't get to the end.
Last Edit: 3 years 10 months ago by Sweden. Reason: additional info
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #91792

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
I really hope someone can answer this question - I don't want the risk of sharing my MySQL username and password with the whole world! :( I can't be the only one with this concern...

BTW: Another thing, my LimeSurvey MySQL user account/database have "GRANT ALL PRIVILEGES ON". What is the minimum needed?
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #91996

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
What a shame no one can look into this issue... :(

I also haven't got an answer on one of my other security related issues. Although I know LimeSurvey is based on free work I do think security issues should have a higher priority than anything else. It makes no sense to have a great system if someone can hack into it and mess with the data.

I found another post that someone made a long time ago about the same problem and no one gave him an answer. I really like LimeSurvey but I'm afraid to use it because of this security issue.
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92011

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
Working with some change.

In config file, look at:
'urlManager' => array(
			'urlFormat' => 'path',// or 'get'
			'rules' => require('routes.php'),
			'showScriptName' => true,// or false
		),

And replace 'routes' by '/yourlimesurveyinstallationdir//application/config/routes.php'.
I also haven't got an answer on one of my other security related issues. Although I know LimeSurvey is based on free work I do think security issues should have a higher priority than anything else. It makes no sense to have a great system if someone can hack into it and mess with the data.
There are not a big security issue here, except for server without good security. Mine for example comletely seperate each user apache server, no access at other user file (excetp for root, but root is root, and root can not connect to my server).

Here, with access to log file, it's very easy to view the problem. If you don't have access to your logfile, or don't understand your logfile, maybe best is to ask at a professionnal server administrator.

Denis
PS: Other_security_issues updated.
PS2: mysql user are not accessible by the "all world" but only by user some the server. If the server is good: only you and root)
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
Last Edit: 3 years 10 months ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92044

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Thanks for your help DenisChenu but I tried your suggestion and it didn't make any difference. :(

My config.php file works when it is in the config folder so I guess that means that everything but the path is right. I have installed LimeSurvey on an addon website.
This is the path I use in configreal.php in general (I have replaced my username with x1x1x1x1):

/home/x1x1x1x1/public_html/addonwebsite.com/myLimeSurveyFolder/....

Is this the right way to do it?

Thanks.


BTW: I think you should change:
'rules' => require('/var/www/htdocs/limesurvey/routes.php'),
to
'rules' => require('/var/www/htdocs/limesurvey/application/config/routes.php'),
in Other_security_issues to avoid confusion.
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92045

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
I can't tell you what is your server systme.

You can add a test file in your limesurvey installation with
echo "dirname(__FILE__)";

And see your path.

Maybe your hoster restrict this operation, can't tell.

Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92047

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Thanks again, I tried that (without the "") and the path is right so that is not the problem...

Can you confirm that my problem with the config.php/configreal.php is a general problem?
Does it work on your installation?
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92050

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
Yes,

Tested, and found the error.

Try this:
put this in your configreal.php
<?php
die("TEST");

If you see "TEST" on all page of LimeSUrvey, it's a problem with your configreal, if not, this file is not included in your config.php.

Denis
PS: put the content of your config.php here.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
Last Edit: 3 years 10 months ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92060

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Thanks for your suggestion Denis - isn't your command similar to using echo "test"? I have already done that and I do get the "test" message - meaning that my configreal.php file is being found by config.php.

I just tried to see if I could replicate this issue on my local version of LimeSurvey and it is the same here - I get a blank screen.

I found this thread and this other user had the same problem. Are you saying that it works on your LimeSurvey installation? What version are you using? I'm using Version 2.00+ Build 130122.
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92061

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
Allways last GIT version, but this was unchanged .

Did you have access at the error log of the server ?

Denis
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
Last Edit: 3 years 10 months ago by DenisChenu.
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92062

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
It is strange that it works on your installation - the person in the thread I was linking to had the same problem.... and I can't get it to work on both my online and local version of LimeSurvey... I wonder what could be wrong.

Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92063

  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • Moderator Lime
  • Posts: 9576
  • Thank you received: 1374
  • Karma: 390
Sweden wrote:
Should I give up, and use something else than LimeSurvey (I would be sad about that), or is there anything else I could try?
I already ask:
- Did you have access to your error log

2nd art, you can leave LS if you want, not my problem, but for your information:
- All survey system need a conection string
- A lot of survey system leave the connexion string in the same directory than LS
- LS security risk are fixed 48 hour or less after found.

And again, it's not a security risk here....

Denis
PS: another config here: demonstration.sondages.pro/config.php
Try to view the DB setting, no way and no change from 1.92. Apache don't show it, it's PHP ....
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (use private message).
Last Edit: 3 years 10 months ago by DenisChenu. Reason: PS
The administrator has disabled public write access.

Instructions on "Installation security hints" do not seem to apply to version 2! 3 years 10 months ago #92066

  • Sweden
  • Sweden's Avatar
  • Offline
  • Expert Lime
  • Posts: 80
  • Thank you received: 2
  • Karma: 2
Thanks Denis,

I know it isn't your problem, I'm not blaming anyone, but please understand that I can't have a system that may reveal my MySQL database user + password so someone can mess with my data without my knowledge. LS security instructions mention that this could be the result and why I am worried.
I don't know anything better than LimeSurvey - that is why I hope I can fix this problem ;)
If you can make it work on your server then clearly it is a problem on my side and something that I should be able to fix.

I'm not sure where the error log is located. It doesn't generate any error in the error_log located in the limesurvey directory. cPanel got an error log that shows the last 300 errors but there isn't any error at all. Anywhere else I could look?

Thanks again - I really appreciate your help.
Last Edit: 3 years 10 months ago by Sweden.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.320 seconds
Imprint                   Privacy policy         General Terms & Conditions         Revocation information and revocation form