08198: Change admin of survey is not protected from CRSF - LimeSurvey bugs and feature requests

This issue affects 1 person(s).

254

ID	Project	Category	View Status	Date Submitted	Last Update

08198	Bug reports	Security	public	2013-09-27 08:53	2013-10-11 11:08

Reporter	DenisChenu	Assigned To	DenisChenu
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	2.05 RC
Fixed in Version	2.05 RC

Summary	08198: Change admin of survey is not protected from CRSF
Description	We can forge some POST to update admin user of survey. Because all json are not protected (see config/internal.php)
Steps To Reproduce	Use a security test
Additional Information	View are not protected too in all jqgrid. Viewing survey is not dangerous Viewing token can be extermely dangerous (law on private information) Update survey admin can be dangerous (we can not set crsf to all excpet this one) I have solution to update each jqgrid one by one to have crsf token parameters, then i take it before last RC, but search for a way to upadte all in one time with default params.
Tags	No tags attached.

Bug heat	254
Complete LimeSurvey version number (& build)	130927
I will donate to the project if issue is resolved	No
Browser	not relevant
Database type & version	not relevant
Server OS (if known)	not relevant
Webserver software & version (if known)	not relevant
PHP Version	not relevant

User List	There are no users monitoring this issue.

DenisChenu 2013-10-01 08:41 developer ~26449	Get list is protected, View admin list is in GET (not serious) Update admin is in GET : move it to POST (serious)

DenisChenu 2013-10-02 16:28 developer ~26478	Fix committed to 2.05 branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13122

DenisChenu 2013-10-02 16:46 developer ~26479	Use $.post for all

c_schmitz 2013-10-11 11:08 administrator ~26698	2.05RC2 released

LimeSurvey: 2.05 b6597da8 2013-10-01 08:39 DenisChenu Details Diff	Fixed issue 08196: CRSF issue with deletion of token Dev: I love jquery ... Add YII_CSRF_TOKEN to whole ajax request Dev: TODO: clean up some code not needed	Affected Issues 08155, 08196, 08198, 08199, 08228, 08230, 08250
	mod - application/config/internal.php	Diff File
	mod - application/views/admin/endScripts_view.php	Diff File

Date Modified	Username	Field	Change
2013-09-27 08:53	DenisChenu	New Issue
2013-09-27 08:55	DenisChenu	Severity	minor => partial_block
2013-09-27 08:55	DenisChenu	Reproducibility	have not tried => always
2013-09-28 09:13	DenisChenu	Relationship added	related to 08196
2013-09-28 09:13	DenisChenu	Assigned To	=> DenisChenu
2013-09-28 09:13	DenisChenu	Status	new => assigned
2013-10-01 08:41	DenisChenu	Changeset attached	=> LimeSurvey 2.05 b6597da8
2013-10-01 08:41	DenisChenu	Note Added: 26449
2013-10-02 16:28	DenisChenu	Changeset attached	=> LimeSurvey 2.05 ad219cc4
2013-10-02 16:28	DenisChenu	Note Added: 26478
2013-10-02 16:28	DenisChenu	Resolution	open => fixed
2013-10-02 16:46	DenisChenu	Note Added: 26479
2013-10-02 16:46	DenisChenu	Status	assigned => resolved
2013-10-02 16:46	DenisChenu	Fixed in Version	=> 2.05 RC
2013-10-03 14:43	DenisChenu	Changeset removed	LimeSurvey 2.05 ad219cc4 =>
2013-10-04 16:06	DenisChenu	Relationship added	related to 08230
2013-10-11 11:08	c_schmitz	Note Added: 26698
2013-10-11 11:08	c_schmitz	Status	resolved => closed

related to	08230	closed	DenisChenu	Can't save a label set
related to	08196	closed	DenisChenu	Deletion of Token