Captcha request before token check

Plus d'informations
il y a 2 ans 10 mois #140080 par johnmoore
Dear Forum,

I'm implementing a private survey with token (user/password) before accessing the questions.
We have added the LimeSurvey captcha to avoid brute-force attack.

After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.

Thus, a brute-force attack would be possible as a list of valid token can be obtained without captcha intervention.

How could we enforce to check the captcha before checking the token against the database, so we can avoid a brute-force attack?

Thanks for your support.

Regards,

Connexion ou Créer un compte pour participer à la conversation.

LimeSurvey Partners
Plus d'informations
il y a 2 mois 2 semaines #182584 par jelo
Réponse de jelo sur le sujet Captcha request before token check
Open a feature request. LimeSurvey should saving token access with wrong tokens into a logfile (e.g. failedtoken.log), which than could be access via fail2ban or other blocking tools (CSF/LFD) to block on IP-level.

A tool inside LimeSurvey would be fine too. The auditlog might be included too.

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines - il y a 2 mois 2 semaines #182600 par DenisChenu

johnmoore écrit: After some testing, we have noticed that token are requested to the database and, once the response is correct, LimeSurvey checks against the captcha.

This must be reported as a bug , not a feature request.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .
Dernière édition: il y a 2 mois 2 semaines par DenisChenu.

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #182610 par jelo
Réponse de jelo sur le sujet Captcha request before token check
My answer was for a different thread. Sorry.
www.limesurvey.org/forum/design-issues/1...lt-in-captcha#182599

The meaning of the word "stable" for users
www.limesurvey.org/forum/development/117...ord-stable-for-users

Connexion ou Créer un compte pour participer à la conversation.

Plus d'informations
il y a 2 mois 2 semaines #182625 par DenisChenu
But still an issue : catpcha check must happen before token check : this is the issue.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand .
An error happen ? Before make a new topic : remind the Debug mode .

Connexion ou Créer un compte pour participer à la conversation.

Commencez dès maintenant !

Créez simplement un compte et commencez à utiliser LimeSurvey dès aujourd'hui.

Inscrivez-vous maintenant

Inscrivez-vous à notre Newsletter!