View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 252
IDProjectCategoryView StatusDate SubmittedLast Update
04468Bug reportsSecuritypublic2010-07-06 19:582010-07-17 17:52
Reporterls464 Assigned Toc_schmitz  
PrioritynormalSeverityminor 
Status closedResolutionfixed 
Product Version1.87 
Fixed in Version1.90RC3 
Summary04468: Tags in username - CSRF attack suspected error
Description

A User with "Create Survey" access only was testing LimeSurvey to see how prone it is to javascript vulnerabilities and edited their account name to include a <script> tag. Attached is what they entered and now when I try to edit/delete/add any usernames, I received the message below:

"Access denied!

Security alert: Someone may be trying to use your LimeSurvey session (CSRF attack suspected). If you just clicked on a malicious link, please report this to your system administrator.
Also this problem can occur when you are working/editing in LimeSurvey in several browser windows/tabs at the same time."

Now as a Super Admin I cannot make changes to Create/Edit user page.

Steps To Reproduce

Create user. Change Username to include <script> tag.

TagsNo tags attached.
Bug heat252
Complete LimeSurvey version number (& build)8518
I will donate to the project if issue is resolved
BrowserIE 7.0
Database type & versionPostgres 8.1
Server OS (if known)Linux 5.2
Webserver software & version (if known)Apache 2.2.11
PHP VersionPHP 5.2.9

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2010-07-17 17:52

administrator   ~12442

Thank you! Username and real name are now properly sanitized now.

Issue History

Date Modified Username Field Change
2010-07-06 19:58 ls464 New Issue
2010-07-06 19:58 ls464 Status new => assigned
2010-07-06 19:58 ls464 Assigned To => user372
2010-07-07 09:39 c_schmitz Assigned To user372 => c_schmitz
2010-07-17 17:52 c_schmitz Note Added: 12442
2010-07-17 17:52 c_schmitz Status assigned => closed
2010-07-17 17:52 c_schmitz Resolution open => fixed
2010-07-17 17:52 c_schmitz Fixed in Version => 1.90RC3