View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 262
IDProjectCategoryView StatusDate SubmittedLast Update
04904Bug reportsSecuritypublic2011-01-26 14:282011-04-13 23:59
Reporterstarmonkey Assigned Totexens  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version1.91RC2 
Target Version1.91RC4Fixed in Version1.91RC4 
Summary04904: SQL Injection possible in admin/browse.php
Description

Unless LS does global input filtering, admin/browse.php has a sql injection attack:

$query .= " FROM $surveytable WHERE id={$_POST['downloadfile']}";

Means I can post a value of "x'; DROP TABLE blah; --" in $_POST['downloadfile'] and cause mayhem as an admin? I haven't tested it but I'm fairly sure that's so.

This is just one case that I found while looking into the file_upload question types "download" functionality from the admin interface. I'm sure there may be many more, perhaps in the front-end where a malicious user can cause mayhem?

Additional Information

http://unixwiz.net/techtips/sql-injection.html

TagsNo tags attached.
Bug heat262
Complete LimeSurvey version number (& build)9672
I will donate to the project if issue is resolvedNo
BrowserFF
Database type & versionMySQL5
Server OS (if known)Windows7
Webserver software & version (if known)Apache2
PHP VersionPHP5

Users monitoring this issue

DenisChenu

Activities

Mazi

Mazi

2011-01-31 16:29

updater   ~14015

This really seems to be an urgend issue. Amit, can you have a look at this ASAP?
texens

texens

2011-02-06 13:59

reporter   ~14062

Fixed in r9744.
This indeed is a major issue and we need to mine the entire LS1 codebase to prevent any SQL injection.
mdekker

mdekker

2011-02-07 11:07

reporter   ~14074

I believe the error is still present in the code so changing status...
Mazi

Mazi

2011-02-08 23:15

updater   ~14093

Texens, did you commit to the wrong branch?

If I remember correctly Carsten did some tests of such security issues a few months ago so please check your own code and every file you edited carefully.
texens

texens

2011-02-12 10:55

reporter   ~14176

Mazi,

Yes I had committed this bug to the dev branch.

Have fixed this bug in the stable branch in r9784, but I'll keep this bug report open so that I don't forget to do a complete check on all the new files/modifications that I have introduced for FUQT.
DenisChenu

DenisChenu

2011-02-16 00:10

developer   ~14194

texens,

I think there are some error in the fix for the dev branch, i can't browse

Parse error: syntax error, unexpected $end in ./limesurvey-dev/admin/browse.php on line 1253

:)
texens

texens

2011-02-16 14:23

reporter   ~14200

Did somebody already fix this issue? I'm unable to reproduce the aforementioned error. (I'm on rev 9804)
DenisChenu

DenisChenu

2011-02-16 16:24

developer   ~14203

Sorry texen, i fixed it shame on me :)

And it's merge error.
c_schmitz

c_schmitz

2011-03-08 14:57

administrator   ~14336

What's the status on this? Didn't you resolve it already? If yes, please set to resolved.

Issue History

Date Modified Username Field Change
2011-01-26 14:28 starmonkey New Issue
2011-01-27 00:04 c_schmitz Assigned To => texens
2011-01-27 00:04 c_schmitz Status new => assigned
2011-01-31 16:29 Mazi Note Added: 14015
2011-02-01 14:40 DenisChenu Issue Monitored: DenisChenu
2011-02-01 16:15 mdekker Target Version => 1.91RC4
2011-02-06 13:59 texens Note Added: 14062
2011-02-06 13:59 texens Status assigned => resolved
2011-02-06 13:59 texens Fixed in Version => 1.91RC4
2011-02-06 13:59 texens Resolution open => fixed
2011-02-07 11:07 mdekker Note Added: 14074
2011-02-07 11:07 mdekker Status resolved => acknowledged
2011-02-08 23:15 Mazi Note Added: 14093
2011-02-12 10:43 texens Status acknowledged => assigned
2011-02-12 10:55 texens Note Added: 14176
2011-02-16 00:10 DenisChenu Note Added: 14194
2011-02-16 14:23 texens Note Added: 14200
2011-02-16 16:24 DenisChenu Note Added: 14203
2011-03-08 14:57 c_schmitz Note Added: 14336
2011-03-15 18:54 texens Status assigned => resolved
2011-04-13 23:59 c_schmitz Status resolved => closed
2021-08-03 10:48 guest Bug heat 260 => 262