Skip to content

REDCap Survey Auth
Compare
Choose a tag to compare
@grezniczek grezniczek released this 11 Mar 22:59
· 16 commits to master since this release
v1.4.4
dc03407

Critical security bug fix:

  • REDCap logged the POST request, including the clear-text password, in redcap_log_view.

As the module cannot prevent REDCap from logging non-standard survey POST request, it now does the next best thing: It runs the query below (limited to the specific project and instrument) as soon as it gets control (redcap_survey_page_top hook), thus deleting the log entry disclosing the password.

Run

DELETE FROM redcap_log_view WHERE miscellaneous LIKE "// POST%[redcap_survey_auth-password]%"

against your database to sanitize the table from any previous logins accross all projects!

As the module cannot prevent REDCap from logging non-standard survey POST request, it now does the next best thing: It runs the query above (limited to the specific project and instrument) as soon as it gets control (redcap_survey_page_top hook).

Assets 2
Loading