View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
08198Bug reportsSecuritypublic2013-10-11 11:08
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynormalSeveritypartial_block 
Status closedResolutionfixed 
Product Version2.05 RC 
Fixed in Version2.05 RC 
Summary08198: Change admin of survey is not protected from CRSF
Description

We can forge some POST to update admin user of survey. Because all json are not protected (see config/internal.php)

Steps To Reproduce

Use a security test

Additional Information

View are not protected too in all jqgrid.

Viewing survey is not dangerous
Viewing token can be extermely dangerous (law on private information)
Update survey admin can be dangerous
(we can not set crsf to all excpet this one)

I have solution to update each jqgrid one by one to have crsf token parameters, then i take it before last RC, but search for a way to upadte all in one time with default params.

TagsNo tags attached.
Bug heat254
Complete LimeSurvey version number (& build)130927
I will donate to the project if issue is resolvedNo
Browsernot relevant
Database type & versionnot relevant
Server OS (if known)not relevant
Webserver software & version (if known)not relevant
PHP Versionnot relevant

Relationships

related to 08230 closedDenisChenu Can't save a label set 
related to 08196 closedDenisChenu Deletion of Token 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2013-10-01 08:41

developer   ~26449

Get list is protected,

  • View admin list is in GET (not serious)
  • Update admin is in GET : move it to POST (serious)
DenisChenu

DenisChenu

2013-10-02 16:28

developer   ~26478

Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13122

DenisChenu

DenisChenu

2013-10-02 16:46

developer   ~26479

Use $.post for all

c_schmitz

c_schmitz

2013-10-11 11:08

administrator   ~26698

2.05RC2 released

Related Changesets

LimeSurvey: 2.05 b6597da8

2013-10-01 06:39:54

DenisChenu

Details Diff
Fixed issue 08196: CRSF issue with deletion of token
Dev: I love jquery ... Add YII_CSRF_TOKEN to whole ajax request
Dev: TODO: clean up some code not needed
Affected Issues
08155, 08196, 08198, 08199, 08228, 08230, 08250
mod - application/config/internal.php Diff File
mod - application/views/admin/endScripts_view.php Diff File

Issue History

Date Modified Username Field Change
2013-09-27 08:53 DenisChenu New Issue
2013-09-27 08:55 DenisChenu Severity minor => partial_block
2013-09-27 08:55 DenisChenu Reproducibility have not tried => always
2013-09-28 09:13 DenisChenu Relationship added related to 08196
2013-09-28 09:13 DenisChenu Assigned To => DenisChenu
2013-09-28 09:13 DenisChenu Status new => assigned
2013-10-01 08:41 DenisChenu Changeset attached => LimeSurvey 2.05 b6597da8
2013-10-01 08:41 DenisChenu Note Added: 26449
2013-10-02 16:28 DenisChenu Changeset attached => LimeSurvey 2.05 ad219cc4
2013-10-02 16:28 DenisChenu Note Added: 26478
2013-10-02 16:28 DenisChenu Resolution open => fixed
2013-10-02 16:46 DenisChenu Note Added: 26479
2013-10-02 16:46 DenisChenu Status assigned => resolved
2013-10-02 16:46 DenisChenu Fixed in Version => 2.05 RC
2013-10-03 14:43 DenisChenu Changeset removed LimeSurvey 2.05 ad219cc4 =>
2013-10-04 16:06 DenisChenu Relationship added related to 08230
2013-10-11 11:08 c_schmitz Note Added: 26698
2013-10-11 11:08 c_schmitz Status resolved => closed