Hello there,
Limesurvey adoption at our company was limited because of the high risk of phishing crafting can be done on mail templates by malicious survey managers.

This plugin removes all the <a href=""></a> links, replacing with plaintext URIs. So that recipient's mail client agent is delegated on link representation and interaction.

We released the plugin wide under open source MIT licence.
github.com/RegioneER/LsRerAntiphishing

Feel free to discuss about it in this thread, any contribution is appreciated by pull requesting on github.

Seems great \o/

DisplayLinkURI of htmlPurifier is not sufficient ?

Another solution can be :
1. Get the HTML from «current» email (invite/reminder/…)
2. strip_tags($notUpdatedBody,)
3. Do the replacement

Or :
In beforeSurveySave event ?

Ciao Denis, thanks for your interest on this topic!

In first analysis we started coding using the DOM XML extension support, then we discovered Yii framework is already prepared for input filtering.

Using strip_tags is no-good because it can create a mess on malformed html.

I think hooking in the two events is safer, because a survey manager still can send mails from a unsaved survey. We're going on with development.

You're right about «beforeSurveySave» : admin user can update the email content before sending.

About have the original (not updated) Body, you can fix it more easily in 4.X : www.limesurvey.org/manual/BeforeEmail i just add a sample (but here only for purify).

Using strip_tags is no-good because it can create a mess on malformed html.

strip_tags + purify after ?

PS : i like to have a solution to get clean {{SURVEYURL}} with a link, but no other link

What kind of people do you employ in your company that you need to make sure that they don't send any phishing mails?

How do you control their normal email behaviour? They can use their normal email account to send phishing emails as well, can't they?

Hello holch.
Judging companies or people is off topic here, as you already know IT security is not based on trust. Let's limit our dialogue to techical aspects of software.
More so when companies needs to comply with particular behaviours because of certifications.

tassoman wrote: as you already know IT security is not based on trust.

Is that the case? E.g. a browser accessing a website via https is not based on trust? Trust by the browser developers put into certain CAs?

Since LimeSurvey hasn't implemented RBAC the requirement of trust into the LS users/admin is part of the game.

tassoman wrote: Let's limit our dialogue to techical aspects of software.

As long as wetware is part of the interaction I cannot remove it from the equation.

So some of us are wondering what the "malicious survey manager" is able to do.
If that survey manager can place a URL inside the invitation, isn't it possible to put the "bad URL" inside a quota URL, which can be removed or added during the survey is running. No traces left.


I'm not so happy about "clever" filtering cause we had a nice history of that in the EndURL field.
Do you see any impact on e.g. ExpressionScript (EM) inside the template with different URLs when you plugin is activated?

The real security disaster was the idea of HTML inside Emails. I let convert everything into Plaintext once it reaches my inbox.

jelo thanks for joining the topic

jelo wrote: Is that the case? E.g. a browser accessing a website via https is not based on trust? Trust by the browser developers put into certain CAs?

HTTPS simply encrypt communications, trusting the encryption is delegated to the parts.
Let's say about phishing that displaying full plain text urls instead of forged links is the only mitigation we have, like encryption in https.

jelo wrote: Since LimeSurvey hasn't implemented RBAC the requirement of trust into the LS users/admin is part of the game.

Granular role assignment is described inside documentation: www.limesurvey.org/manual/Manage_users

jelo wrote: So some of us are wondering what the "malicious survey manager" is able to do.


If that survey manager can place a URL inside the invitation, isn't it possible to put the "bad URL" inside a quota URL, which can be removed or added during the survey is running. No traces left.


I'm not so happy about "clever" filtering cause we had a nice history of that in the EndURL field.
Do you see any impact on e.g. ExpressionScript (EM) inside the template with different URLs when you plugin is activated?

The real security disaster was the idea of HTML inside Emails. I let convert everything into Plaintext once it reaches my inbox.

I understand your concern about feature modification. I agree with you on real security in mail is based on plaintext mailing. Because, as you know, mail transfer protocol was invented ages before the world wide web hypertexts.

Fitting html code inside an email was a «different behaviour» was exploited in the past and stills the hard bad-habit to remove in communications.

Because all of this, Antiphishing Plugin isn't altering survey manager abilities or features. It simply alters notification mails hooking in the «sendmail» kind of events.

It just removes links from html mails, altering that more like a plaintext communication should be.

tassoman wrote:

jelo wrote: Since LimeSurvey hasn't implemented RBAC the requirement of trust into the LS users/admin is part of the game.

Granular role assignment is described inside documentation: www.limesurvey.org/manual/Manage_users

For information, we only disable XSS/javascript for default user.
They still be allowed to put in end url (with autoload), if they have the right to edit survey.

I think right to edit email template is related to the edit survey.

Sending email is related to token update if i don't make error.

tassoman wrote: Judging companies or people is off topic here, as you already know IT security is not based on trust. Let's limit our dialogue to techical aspects of software.
More so when companies needs to comply with particular behaviours because of certifications.

I agree, this is somehow off-topic. I did not want to suggest that there is something wrong with your company, sorry if it came over this way.

But I stand with most of it and I also think it is something that needs to be discussed in this context (and I don't seem to be completely alone on this one).

When I read that someone is concerned about the possibility of employees sending phishing mails via the survey tool (which would have been the last thing I would have thought of as a problem with employees - not that it wouldn't be a possibility, but...), then this opens up a lot more concerns with survey data and privacy.

Someone who has enough criminal energy to send phishing mails via the company survey tool (with a good chance of getting caught if the phishing emails are reported by someone), what would they do with the collected private data they have access to (without much chance of getting caught)? If the phishing scenario is a scenario your company considers viable, in my opinion this would open up a lot of other "holes" I would also (and probably even more) be concerned about.

I think there needs to be a lot of trust involved when it comes to survey creation, survey data and data analysis, because you just can't nail down everything (depends of course on the way you run your surveys, what data is collected, etc.). I probably would rather limit the group of people that have access to the survey tool then. Because there are so many "attack factors" once you have access to the back end of a survey tool.

But if I would fear that some of my employees might use a company tool to send phishing mails, I would probably not want them anywhere near any company email either (actually not even near the company ).

I know, better save than sorry, but I am surprised that this fear even exists. But now that I know that this fear does exist: Do you filter also the question texts? Because if an employee is so malicious to send phishing emails via the company survey system, they also could just include a phishing link into the text of a question or the welcome text. Or could even style a survey as a form to phish directly via the company survey tool. So I guess there is a need for a plugin that filters all question text based on certain rules. OK, links and javascript forwards are probably blocked via the XSS- filter implemented in Limesurvey? I wouldn't know, because I always switch it off on a new installation.

I get the "certifications" part though. Even if you trust your employees, they want it all nailed down to the last bit, some even down to insane levels that make business almost non-viable. "Trust" is a "weak" factor and they love their "hard" factors.

Anyway, thanks for contributing the plugin. This should not be a criticism of the plugin itself and as it is just a plugin, I don't see a problem of having it as an option. Actually in the context of certifications it is a good thing to have the option, if the certificate requires something like this. Despite my thoughts above, I understand that sometimes those things are required. Even if I am more the "trust" guy, rather than the "nail it all shut" guy, as you probably already noticed.

This is probably because in a small company, where everyone knows everyone and without a certain level of trust we could probably close the company.