15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities

This bug affects 1 person(s).

262

ID	Project	Category	View Status	Date Submitted	Last Update

15141	Bug reports	Security	public	2019-08-07 14:23	2021-03-15 15:39

Reporter	ma77ie	Assigned To	gabrieljenik
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	3.17.x

Summary	15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities
Description	Limesurvey uses an out-of-date version of bootstrap.min.js (version 3.3.7) which has security vulnerabilities ( https://www.cvedetails.com/vulnerability-list/vendor_id-19522/product_id-51406/version_id-286029/Getbootstrap-Bootstrap-3.3.7.html ) and should be upgraded to the latest version to fix these vulnerabilities.
Steps To Reproduce	Viewing source of the home page shows the line including bootstrap.min.js:- <script type="text/javascript" src="/surveys/tmp/assets/bd9506bc/bootstrap.min.js" class="headScriptTag"></script> The start of bootstrap.min.js itself shows the version number:- /! Bootstrap v3.3.7 (http://getbootstrap.com) Copyright 2011-2016 Twitter, Inc. Licensed under the MIT license /
Tags	No tags attached.

Bug heat	262
Complete LimeSurvey version number (& build)	3.17.9+190731
I will donate to the project if issue is resolved	No
Browser
Database type & version	MySQL 5.7.20
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.0.33

User List	DenisChenu

~~markusfluer~~ 2019-08-08 16:41 administrator ~53152	Since the switch to Bootstrap v4 has a potentially breaking impact on the software, this will not be done for LimeSurvey version 3 or 4, but rather for LimeSurvey version 5, planned for 2020. The mentioned XSS vulnerabilities are all dependent on an injection of code into specific target attributes on HTML-elements and thus very hard to do for non-administrative users in LimeSurvey. For any of the mentioned vulnerabilities you can create an actual exploit for, we will work on fixing them accordingly. If necessary with an addition to core Bootstrap, or jQuery.

DenisChenu 2019-08-19 10:13 developer ~53190 Last edited: 2021-02-04 13:04	~~@markusfluer~~ : https://github.com/twbs/bootstrap/releases/tag/v3.4.1 Have the fix, the update can be done without broke BS compatibility Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer

DenisChenu 2020-05-11 08:40 developer ~57648 Last edited: 2021-02-04 13:04	Markus quit mantis

gabrieljenik 2021-03-01 14:08 manager ~62574	This has already been like this since Aug 2019: https://github.com/LimeSurvey/LimeSurvey/commit/a85ec977be0bce3433dc1363dde5ee65e34fce82

DenisChenu 2021-03-02 10:15 developer ~62601	No `[shnoulle@poledra 3LTS]$ grep -r "Bootstrap v3" * application/extensions/bootstrap/js/bootstrap.min.js: * Bootstrap v3.3.5 (http://getbootstrap.com) application/extensions/bootstrap/js/bootstrap.js: * Bootstrap v3.3.5 (http://getbootstrap.com)` Else : all variations are from 3.3.7 , but no security issue in CSS file.

gabrieljenik 2021-03-04 16:50 manager ~62718	I don't think those files are actually being used. That's part of the yiistrap extenson, whicch provides helpers as TbHtml. That helper is used a lot, but only the php part, not the rest. I have tried chaging the name of those files, and no error appeared. (I haven't tested the whole system). Suggested approach: Create a PR based on dev where we remove those files. Check what's the outcome. What do you think?

DenisChenu 2021-03-04 17:43 developer ~62732	Suggested approach: Create a PR based on dev where we remove those files. :+1:

DenisChenu 2021-03-04 17:44 developer ~62733	Maybe in 3lts too ? And a mini update on `extensions/bootstrap` to remove all registerScriptFile ?

gabrieljenik 2021-03-10 15:56 manager ~63003	https://github.com/LimeSurvey/LimeSurvey/pull/1798 for lts

JHoeck 2021-03-15 12:32 reporter ~63360	Works fine. PR merged into LTS.

gabrieljenik 2021-03-15 12:34 manager ~63361	Fix committed to 3.x-LTS branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=31326

gabrieljenik 2021-03-15 13:30 manager ~63362	Honestly, this was a test as to double check if those removed files are used or not. Not sure if it is the best to remove those files. If removing them is fine, then we should review also on LS4. Looking forward on your comments and directions.

lime_release_bot 2021-03-15 15:39 administrator ~63382	Fixed in Release 3.25.18+210316

LimeSurvey: 3.x-LTS dc679f77 2021-03-15 13:34 gabrieljenik Committer: GitHub Details Diff	Fixed issue 15141: Limesurvey uses an out-of-date version of bootstrap.min.js that has security vulnerabilities (#1798) Updated bootstrap files.	Affected Issues 15141
	mod - application/extensions/bootstrap/components/TbApi.php	Diff File
	rm - application/extensions/bootstrap/js/bootstrap.js	Diff
	rm - application/extensions/bootstrap/js/bootstrap.min.js	Diff

Date Modified	Username	Field	Change
2019-08-07 14:23	ma77ie	New Issue
2019-08-08 16:41	~~markusfluer~~	Note Added: 53152
2019-08-08 16:42	~~markusfluer~~	Assigned To	=> markusfluer
2019-08-08 16:42	~~markusfluer~~	Status	new => feedback
2019-08-19 10:13	DenisChenu	Note Added: 53190
2019-08-19 10:17	DenisChenu	Issue Monitored: DenisChenu
2020-05-11 08:40	DenisChenu	Assigned To	markusfluer => cdorin
2020-05-11 08:40	DenisChenu	Status	feedback => new
2020-05-11 08:40	DenisChenu	Note Added: 57648
2021-02-04 13:04	cdorin	Assigned To	cdorin =>
2021-02-04 13:04	cdorin	Priority	none => normal
2021-02-04 13:04	cdorin	Status	new => confirmed
2021-02-04 13:04	cdorin	Sync to Zoho Project	=> \|Yes\|
2021-03-01 09:33	c_schmitz	Assigned To	=> gabrieljenik
2021-03-01 09:33	c_schmitz	Status	confirmed => assigned
2021-03-01 14:08	gabrieljenik	Note Added: 62574
2021-03-02 10:15	DenisChenu	Note Added: 62601
2021-03-04 16:50	gabrieljenik	Note Added: 62718
2021-03-04 17:43	DenisChenu	Note Added: 62732
2021-03-04 17:44	DenisChenu	Note Added: 62733
2021-03-10 15:56	gabrieljenik	Note Added: 63003
2021-03-15 12:32	JHoeck	Status	assigned => resolved
2021-03-15 12:32	JHoeck	Resolution	open => fixed
2021-03-15 12:32	JHoeck	Note Added: 63360
2021-03-15 12:34	gabrieljenik	Changeset attached	=> LimeSurvey 3.x-LTS dc679f77
2021-03-15 12:34	gabrieljenik	Note Added: 63361
2021-03-15 13:30	gabrieljenik	Note Added: 63362
2021-03-15 15:39	lime_release_bot	Sync to Zoho Project	Yes => \|Yes\|
2021-03-15 15:39	lime_release_bot	Note Added: 63382
2021-03-15 15:39	lime_release_bot	Status	resolved => closed
2021-08-03 07:35	guest	Bug heat	260 => 262

View Issue Details

Users monitoring this issue

Activities

Related Changesets

Issue History