Greetings!

On Limesurvey 5.0.6 + MySQL 5.7 running on docker, I've been struggling with trying to get my survey answers properly encrypted on the database.
This can be reproduced with github.com/martialblog/docker-limesurvey by running docker-compose up on the repo and accessing the backend from http://localhost:8080/index.php/admin

First creating a regular survey with one question, which has encryption turned on. After which the survey is published and giving it an answer. (see lm_answer.png)

Now we make a regular bash connection to the MySQL container and login to the Limesurvey database.
After successful login, we can get the survey's answers from the table.

$ docker exec -it docker-limesurvey_lime-db_1 bash                     //opening bash in the mysql container
root@52aef6efd6f7:/# mysql -u limesurvey -p --database=limesurvey
Enter password:
Reading table information for completion of table and column names...            //mysql default login prompt
mysql> select * from lime_survey_469751;                         //the table for the earlier created survey's answers

| id | token | submitdate          | lastpage | startlanguage | seed      | 469751X1X1 |
|  1 | NULL  | 1980-01-01 00:00:00 |        1 | en            | 717837748 | ggdf5dvdc6R8WPUkHlwLNzC/GjAY1rZJHB/wd5L4vbh2Jt5I67B+QdT8VdJBOWSLG5ctmQPiligPItyuJxQ/AlRoaXMgaXMgbXkgYW5zd2VyIHRvIHRoaXMgc3VydmV5Lg== |

1 row in set (0.00 sec)

From here we can see that the answer is encoded in base64. Inspecting it with e.g. gchq.github.io/CyberChef/ adding the whole encoded answer as input and using recipe From Base64. We can get the whole answer as plain-text without any proper encryption. (see lm_cyberchef.png)

The created security.php file contains all the required keys and it's accessible.
Is there something this repo is missing or is Limesurvey supposed to work this way? This could be a security issue, since the config.php file also contains the db connection info in plain-text.


Thanks.
 

The created security.php file contains all the required keys and it's accessible.
Is there something this repo is missing or is Limesurvey supposed to work this way? This could be a security issue, since the config.php file also contains the db connection info in plain-text.

There are different topics/issues in your post:
1.) config.php containing plain db connection info is normal.
2.) Nobody from the LimeSurvey GmbH developer know if your docker container is getting the correct LimeSurvey files. There is no official repository for docker containers from LimeSurvey.
3.) That encryption is only done with a base64 sounds very strange and is worth reporting as a bug via the bugtracker.  The question is if your docker container uses untouched LimeSurvey files or if there is an issue inside the container.

Hello, jelo!

config.php containing plain db connection info is normal.

Yes I'm aware of that. It was just a observation regarding that anyone with access to the server containing config.php has an easy access to the database.

Nobody from the LimeSurvey GmbH developer know if your docker container is getting the correct LimeSurvey files. There is no official repository for docker containers from LimeSurvey.

The entrypoint.sh file does create the correct LimeSurvey files and if no encryption keys are given, LimeSurvey creates them automatically as intended. I did recreate this with another repository aswell [url] github.com/adamzammit/limesurvey-docker [/url] and the same outcome happened, which is that the data in the database is only encoded with base64.

Also I did do a regular manual installation on Debian 10 (with MySQL and LimeSurvey version 5.0.6) according the LimeSurvey CE installation instructions. ( [url] manual.limesurvey.org/Installation_-_LimeSurvey_CE [/url] ) Yet again the same results appeared.

That encryption is only done with a base64 sounds very strange and is worth reporting as a bug via the bugtracker.  The question is if your docker container uses untouched LimeSurvey files or if there is an issue inside the container.

I will do a bug report about this for a proper resolve. I would like to get some clarification on how data encryption is executed as the data encryption instruction describes only very briefly about how and what you are able to encrypt. ( [url] manual.limesurvey.org/Data_encryption/en [/url] ) Also I did check and found out that the participant attributes are falsely encrypted on the database aswell.


Thanks!

Currently : encryption is OK only when you transfert DB as SQL or BIN.
Or if you host DB and PHP server on 2 different server.

If someone have access to PHP server : he get whole data. Current encryption mechanism don't broke such access.

If you want a real security : when data is encrypted : only people with valid decrypt key can read : check github.com/SamMousa/limesurvey-encrypt


ARG : better read the report ! It's … bad than i think.
 

Alright I'll make sure to check on those.

I did get an answer on the bugtracker aswell and it's being resolved.


Thanks for the assistance!