View Revisions: Issue #14670

Summary 14670: Remote Code Execution in Limesurvey <= 3.16.x via Deserialization Attack in "tcpdf"
Revision 2019-03-25 08:40 by DenisChenu
Steps To Reproduce

Step 1: Go to "email templates" and upload the file exploit.jpg.

Step 2: Go to Overwiew> Display / Export> queXML PDF export> export.

Step 3: Insert the following HTML code in the "style" field.

&lt;h1>pwned&lt;/h1>&lt;img src=&quot;phar://./upload/surveys/{SURVEYID}/files/exploit.jpg&quot;>

Step 4: Click on the "queXML PDF export" button.

Revision 2019-03-20 20:34 by federico_fernandez_q3rv0
Steps To Reproduce

Step 1: Go to "email templates" and upload the file exploit.jpg.

Step 2: Go to Overwiew> Display / Export> queXML PDF export> export.

Step 3: Insert the following HTML code in the "style" field.

&lt;h1>pwned&lt;/h1>&lt;img src=&quot;phar://./upload/surveys/{SURVEYID}/files/exploit.jpg&quot;>

Step 4: Click on the "queXML PDF export" button.