LimeSurvey issue tracker
Registration

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
07105Bug reports[All Projects] Securitypublic2012-12-18 16:432013-01-02 21:30
Reporterjosepablo 
Assigned Toc_schmitz 
PriorityhighSeveritymajor 
StatusclosedResolutionfixed 
Product Version2.00+ 
Target VersionFixed in Version2.00+ 
Summary07105: SQL Injection/Blind SQL Injection
DescriptionPOST/GET parameters are not being sanitized.

By setting the value of the parameter '553173X46X522' to 'A1%27+and+%27f%27%3D%27f' demonstrates it gets executed by the database engine (SQL Injection)

Here's the POST request made to the server with the altered parameter:
fieldnames=553173X46X521%7C553173X46X522%7C553173X46X523SQ001%7C553173X46X523SQ002%7C553173X46X523SQ003%7C553173X
46X523SQ004%7C553173X46X523SQ005%7C553173X46X523SQ006%7C553173X46X523SQ007%7C553173X46X531%7C553173X46X532%7C5531
73X46X536%7C553173X46X537%7C553173X46X538%7C553173X46X539%7C553173X46X540%7C553173X46X541%7C553173X46X542&553173X
46X521=39& 553173X46X522=A1%27+and+%27f%27%3D%27f
&java553173X46X522=A1&MULTI553173X46X523=7&553173X46X523SQ001=Y&java553173X46X523SQ001=&553173X46X523SQ002=Y&java
553173X46X523SQ002=&553173X46X523SQ003=Y&java553173X46X523SQ003=Y&553173X46X523SQ004=Y&java553173X46X523SQ004=&55
3173X46X523SQ005=Y&java553173X46X523SQ005=&553173X46X523SQ006=Y&java553173X46X523SQ006=&553173X46X523SQ007=Y&java
553173X46X523SQ007=&553173X46X531=30134&553173X46X532=&java553173X46X532=&553173X46X536=&java553173X46X536=&55317
3X46X537=&java553173X46X537=&553173X46X538=&java553173X46X538=&553173X46X539=&java553173X46X539=&553173X46X540=&j
ava553173X46X540=&553173X46X541=&java553173X46X541=&553173X46X542=&java553173X46X542=&lastgroup=553173X46&relevan
ce521=1&relevance522=1&relevance523=1&relevance531=1&relevance532=0&relevance536=0&relevance537=0&relevance538=0&
relevance539=0&relevance540=0&relevance541=0&relevance542=
Steps To ReproduceThe issue was found using ibm appscan enterprise edition. Can be reproduced by altering the POST request as stated above.
Additional InformationIn order to use limeSurvey in government approved projects the issue should be solved.
I will donate to the project if issue is resolved within 48 hrsYes
LimeSurvey build number OR git commit ID121127
BrowserAll
Database & DB-VersionMySQL 5.5.25a-27.1-log Percona Server (GPL), Release rel27.1, Revision 277
Operating System (Server)CentOS release 6.3 (Final)
Webserver software & versionNginx
PHP Version5.3.8
Attached Files

- Relationships

-  Notes
User avatar (23268)
Mazi (developer)
2012-12-18 17:10

Carsten, can you have a look at this one?

I'm not sure where this POST request is made, I would guess when storing survey field values at the DB.

josepablo can surely provide more details.
User avatar (23282)
c_schmitz (administrator)
2012-12-19 16:21

I am sorry but I cannot reproduce it here. Can you provide the related survey as .lss file please?
User avatar (23283)
c_schmitz (administrator)
2012-12-19 16:25

And what output do you actually get that shows that the sql injection worked?
User avatar (23290)
josepablo (reporter)
2012-12-19 22:37

These are the steps that were taken to produce the SQL Injection:

Set the value of the parameter 'lastgroup' to '553173X461+having+1%3D1--'


Here's the output we got: (Please look in the body section of the output, column not found...)

HTTP/1.1 500 CDbException
Server: nginx
Date: Tue, 11 Dec 2012 14:41:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
X-Powered-By: PHP/5.3.18
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 11 Dec 2012 14:41:32 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> [^]
<html xmlns="http://www.w3.org/1999/xhtml" [^] xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>Internal Server Error</title>

....

<body>
<h1>Internal Server Error</h1>
<h2>CDbCommand failed to execute the SQL statement : SQLSTATE [42S22]: Column not found: 1054 Unknown column
'553173X461 having 1=1--time' in 'field list'</h2>


An internal error occurred while the Web server was processing your request.
Please contact the webmaster to report this problem.



Thank you.


<div class="version">
2012-12-11 09:41:33 </div>
</body>
</html>
User avatar (23291)
c_schmitz (administrator)
2012-12-19 22:57

I am sorry but that's not an SQL injection - the only thing you can do with this is to create an error message - not elegant. But you won't be able to execute an arbitrary statement using this or create any other damage - because the (invalid) field name itself is properly quoted and you won't be able to break out of these quotes.

I admit this could be handled 'nicer' but in general it is low priority since it is not security relevant.

Anyway, thank you for bringing this to our attention. If you have another case to check please let me know.
User avatar (23354)
c_schmitz (administrator)
2012-12-22 18:38

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=10997 [^]
User avatar (23363)
c_schmitz (administrator)
2012-12-22 19:09

Fix committed to 2.1 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=11006 [^]
User avatar (23408)
c_schmitz (administrator)
2013-01-02 21:30

New version released.

- Related Changesets
LimeSurvey: master 0df3fdf8
Timestamp: 2012-12-22 17:38:03
Author: c_schmitz
Committer: c-schmitz
Details ] Diff ]
Fixed issue 07105: Bad error handling on invalid lastgroup POST
mod - application/libraries/Save.php Diff ] File ]
LimeSurvey: 2.1 9be3c860
Timestamp: 2012-12-22 17:38:03
Author: c_schmitz
Committer: c-schmitz
Details ] Diff ]
Fixed issue 07105: Bad error handling on invalid lastgroup POST
mod - application/libraries/Save.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-12-18 16:43 josepablo New Issue
2012-12-18 17:08 Mazi Assigned To => c_schmitz
2012-12-18 17:08 Mazi Status new => assigned
2012-12-18 17:10 Mazi Note Added: 23268
2012-12-19 16:21 c_schmitz Note Added: 23282
2012-12-19 16:25 c_schmitz Note Added: 23283
2012-12-19 22:37 josepablo Note Added: 23290
2012-12-19 22:57 c_schmitz Note Added: 23291
2012-12-19 22:57 c_schmitz Status assigned => feedback
2012-12-22 18:38 c_schmitz Status feedback => resolved
2012-12-22 18:38 c_schmitz Fixed in Version => 2.00+
2012-12-22 18:38 c_schmitz Resolution open => fixed
2012-12-22 18:38 c_schmitz Changeset attached => LimeSurvey master 0df3fdf8
2012-12-22 18:38 c_schmitz Note Added: 23354
2012-12-22 19:09 c_schmitz Changeset attached => LimeSurvey 2.1 9be3c860
2012-12-22 19:09 c_schmitz Note Added: 23363
2013-01-02 21:30 c_schmitz Note Added: 23408
2013-01-02 21:30 c_schmitz Status resolved => closed


Copyright © 2000 - 2014 MantisBT Team
Powered by Mantis Bugtracker