Dependency Graph
View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
14670 | Bug reports | Security | public | 2019-03-20 20:34 | 2019-04-30 09:22 |
Reporter | federico_fernandez_q3rv0 | Assigned To | DenisChenu | ||
Priority | none | Severity | partial_block | ||
Status | closed | Resolution | fixed | ||
Product Version | 3.16.x | ||||
Fixed in Version | 3.17.x | ||||
Summary | 14670: Remote Code Execution in Limesurvey <= 3.16.x via Deserialization Attack in "tcpdf" | ||||
Description | I found a Remote Code Execution vulnerability in Limesurvey <= 3.16.x. The application uses an old "tcpdf" library which is vulnerable to a deserialization attack via "phar://". | ||||
Steps To Reproduce | Step 1: Go to "email templates" and upload the file exploit.jpg. Step 2: Go to Overwiew> Display / Export> queXML PDF export> export. Step 3: Insert the following HTML code in the "style" field.
Step 4: Click on the "queXML PDF export" button. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Bug heat | 260 | ||||
Complete LimeSurvey version number (& build) | 3.16.0 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | |||||
Database type & version | PostgreSQL 9.6.6 | ||||
Server OS (if known) | |||||
Webserver software & version (if known) | |||||
PHP Version | 7.0 | ||||
Did you know if https://github.com/tecnickcom/tc-lib-pdf/tree/master fix this issue ? Surely some issue when move from 6.2.13 to 8.0.0 but … |
|
More easy :
https://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT/download Thank you :) (But style must be filtered for QueXML too … https://github.com/wikimedia/css-sanitizer for candidate ) |
|
https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5 |
|
Fixed in 3.17.0 |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-03-20 20:34 | federico_fernandez_q3rv0 | New Issue | |
2019-03-20 20:34 | federico_fernandez_q3rv0 | File Added: step1.png | |
2019-03-20 20:34 | federico_fernandez_q3rv0 | File Added: step3.png | |
2019-03-20 20:34 | federico_fernandez_q3rv0 | File Added: step4.png | |
2019-03-20 20:34 | federico_fernandez_q3rv0 | File Added: exploit.jpg | |
2019-03-22 16:05 | DenisChenu | Note Added: 51097 | |
2019-03-22 16:07 | DenisChenu | Note Added: 51098 | |
2019-03-22 16:08 | DenisChenu | Note Edited: 51098 | |
2019-03-22 16:12 | DenisChenu | Note Edited: 51098 | |
2019-03-22 16:25 | DenisChenu | Assigned To | => DenisChenu |
2019-03-22 16:25 | DenisChenu | Status | new => assigned |
2019-03-25 08:39 | DenisChenu | Note Added: 51116 | |
2019-03-25 08:40 | DenisChenu | Status | assigned => resolved |
2019-03-25 08:40 | DenisChenu | Resolution | open => fixed |
2019-03-25 08:40 | DenisChenu | View Status | private => public |
2019-03-25 08:40 | DenisChenu | Steps to Reproduce Updated | |
2019-03-25 08:41 | DenisChenu | Fixed in Version | => 3.16.x |
2019-04-02 16:40 | ollehar | Status | resolved => closed |
2019-04-02 16:40 | ollehar | Fixed in Version | 3.16.x => 3.17.x |
2019-04-30 09:22 | c_schmitz | Relationship added | has duplicate 14824 |
2019-04-30 09:22 | c_schmitz | Note Added: 51695 |