06548: XSS injection in the function to reload a saved survey

This bug affects 1 person(s).

258

ID	Project	Category	View Status	Date Submitted	Last Update

06548	Bug reports	Security	public	2012-09-04 19:11	2012-09-26 09:05

Reporter	~~user21570~~	Assigned To	c_schmitz
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	1.92+
Fixed in Version	1.92+

Summary	06548: XSS injection in the function to reload a saved survey
Description	The function to reload a saved survey is prone to XSS. At least three parameters are vulnerable to XSS. Vulnerable parameters: loadname, loadpass, scid poc @ github: https://gist.github.com/3623601
Steps To Reproduce	poc @ github: https://gist.github.com/3623601
Additional Information	Discovered by Markus Piéton (it.sec GmbH & Co. KG)
Tags	No tags attached.
Attached Files	xss-reload-survey.pdf (199,645 bytes)

Bug heat	258
Complete LimeSurvey version number (& build)	120822
I will donate to the project if issue is resolved	No
Browser
Database type & version	MySQL
Server OS (if known)	Linux
Webserver software & version (if known)	Apache
PHP Version	PHP

User List	c_schmitz

Mazi 2012-09-06 15:23 updater ~20634	Hi Jason, I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox). Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.

jcleeland 2012-09-08 01:12 reporter ~20642	Not entirely sure how to fix this one, referring it to Carsten. The cleaning of the string needs to happen in common_functions.php in the function returnglobal($stringname), there needs to be some function to clean $stringname=="loadpass' and $stringname=='loadname' from any attempted xss injection, but I don't know how this should be done. The 'scid' parameter is not vulnerable to xss injection, in my opinion, because it is only ever tested to see whether it exists (see line 640 of index.php)

c_schmitz 2012-09-13 14:35 administrator ~20673	marpie_ I am sorry but I cannot reproduce this in build 120822. It is reproducable in 120815 but had been already fixed for 120822. Can you please confirm that?

c_schmitz 2012-09-19 17:24 administrator ~20731	Feedback please?

c_schmitz 2012-09-26 09:05 administrator ~20817	Closing due to missing feedback.

Date Modified	Username	Field	Change
2012-09-04 19:11	~~user21570~~	New Issue
2012-09-04 19:11	~~user21570~~	File Added: xss-reload-survey.pdf
2012-09-06 15:23	Mazi	Assigned To	=> jcleeland
2012-09-06 15:23	Mazi	Status	new => assigned
2012-09-06 15:23	Mazi	Issue Monitored: c_schmitz
2012-09-06 15:23	Mazi	Note Added: 20634
2012-09-08 01:12	jcleeland	Assigned To	jcleeland => c_schmitz
2012-09-08 01:12	jcleeland	Note Added: 20642
2012-09-13 14:35	c_schmitz	Note Added: 20673
2012-09-13 14:35	c_schmitz	Status	assigned => feedback
2012-09-19 17:24	c_schmitz	Note Added: 20731
2012-09-26 09:05	c_schmitz	Note Added: 20817
2012-09-26 09:05	c_schmitz	Status	feedback => closed
2012-09-26 09:05	c_schmitz	Resolution	open => fixed
2012-09-26 09:05	c_schmitz	Fixed in Version	=> 1.92+
2021-08-04 19:16	guest	Bug heat	256 => 258