View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
04468 | Bug reports | Security | public | 2010-07-06 19:58 | 2010-07-17 17:52 |
Reporter | ls464 | Assigned To | c_schmitz | ||
Priority | normal | Severity | minor | ||
Status | closed | Resolution | fixed | ||
Product Version | 1.87 | ||||
Fixed in Version | 1.90RC3 | ||||
Summary | 04468: Tags in username - CSRF attack suspected error | ||||
Description | A User with "Create Survey" access only was testing LimeSurvey to see how prone it is to javascript vulnerabilities and edited their account name to include a <script> tag. Attached is what they entered and now when I try to edit/delete/add any usernames, I received the message below: "Access denied! Security alert: Someone may be trying to use your LimeSurvey session (CSRF attack suspected). If you just clicked on a malicious link, please report this to your system administrator. Now as a Super Admin I cannot make changes to Create/Edit user page. | ||||
Steps To Reproduce | Create user. Change Username to include <script> tag. | ||||
Tags | No tags attached. | ||||
Bug heat | 252 | ||||
Complete LimeSurvey version number (& build) | 8518 | ||||
I will donate to the project if issue is resolved | |||||
Browser | IE 7.0 | ||||
Database type & version | Postgres 8.1 | ||||
Server OS (if known) | Linux 5.2 | ||||
Webserver software & version (if known) | Apache 2.2.11 | ||||
PHP Version | PHP 5.2.9 | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2010-07-06 19:58 | ls464 | New Issue | |
2010-07-06 19:58 | ls464 | Status | new => assigned |
2010-07-06 19:58 | ls464 | Assigned To | => user372 |
2010-07-07 09:39 | c_schmitz | Assigned To | user372 => c_schmitz |
2010-07-17 17:52 | c_schmitz | Note Added: 12442 | |
2010-07-17 17:52 | c_schmitz | Status | assigned => closed |
2010-07-17 17:52 | c_schmitz | Resolution | open => fixed |
2010-07-17 17:52 | c_schmitz | Fixed in Version | => 1.90RC3 |