Bypass IP detection lead to perform brute-force attack in limesurvey/limesurvey


Reported on

Feb 24th 2023


In login function, by default, the IP address will be blocked when the user tries to login incorrectly more than 3 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force.

Proof of Concept

POST /LimeSurvey/index.php/admin/authentication/sa/login HTTP/1.1
Host: localhost:8888
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
Origin: http://localhost:8888
Referer: http://localhost:8888/LimeSurvey/index.php/admin/authentication/sa/login
Cookie: PHPSESSID=4c6885df75ee21adc859130d344ad10e; LS-GXWBZDRRIABHCKHE=l0l8po0cduq9oqeek2pt7ciu13; YII_CSRF_TOKEN=RTQ0bk95WGFRd09CV3hYU1VDZG1scDBPMlRUTVRSZFO7ptHMioAExLZ4fFXUIL3VABaqXRYtFlMMEqdsdz3RCQ%3D%3D
Sec-Fetch-User: ?1


Step to reproduce

1. Go to http:/<>/index.php/admin/authentication/sa/login, here we will see a login form.
2. Enter any account like admin:admin and then intercept the request with Burp Suite and pass the request to the Intruder tab.
3. Add header X-Forwarded-For: 192.168.0.X.
4. Select attack type Pitchfork.
5. Set the position in the X-Forwarded-For header at X character and the password field
6. In the Payloads tab at the first position set payload type Numbers with range number from 1 to 100 and the second position import wordlist containing the list of passwords to be brute-forced.

PoC Image

As you can see, I have logged in 100 times (by default this action will be locked from the 4th time onwards), image

and on the 98th request I have successfully logged in with the password in the dictionary. image


This vulnerabiliy allow the attacker can perform bruteforce admin's password, perform deny of services attack, ...

We are processing your report and will contact the limesurvey team within 24 hours. 7 months ago
We have contacted a member of the limesurvey team and are waiting to hear back 7 months ago
Carsten Schmitz modified the Severity from High (7.3) to Medium (6.5) 7 months ago
6 months ago


Hi @maintainer,

any update here?

Carsten Schmitz
6 months ago


We are still checking. Please be patient.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Carsten Schmitz validated this vulnerability 5 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carsten Schmitz
5 months ago


Note to myself: This issue was already reported under, a fix is proposed with .

Carsten Schmitz marked this as fixed in 5.6.24 and 6.1.1 with commit 657509 4 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Carsten Schmitz published this vulnerability 4 months ago
to join this conversation