View Issue Details

This bug affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
10576Feature requestsSecuritypublic2021-03-08 19:45
Reporterjohntopley Assigned Toc_schmitz  
PrioritynormalSeverityfeature 
Status closedResolutionwon't fix 
Summary10576: Cross Frame Scripting Vulnerability
Description

Our LimeSurvey installation was recently penetration tested by a security consultancy. They identified that LimeSurvey has a vulnerability whereby it allows itself to be embedded within an iFrame on a web page controlled by a third-party. This would allow an attacker to capture keystrokes entered within LimeSurvey.

Additional Information

Open Web Application Security Project (OWASP): Cross Frame Scripting https://www.owasp.org/index.php/Cross_Frame_Scripting

"Frame busting" techniques can be be employed by web applications to ensure they cannot be loaded within an iFrame. The current best practice is to use the following suggested JavaScript code::

<style type="text/css">html { display:none; }</style>
<script type="text/javascript">
if (self ==top) {
document.documentElement.style.display= 'block';
} else {
top.location = self.location;
}
</script>

Tagsdata integrity, data security
Attached Files
10576.png (139,469 bytes)
Bug heat254
Story point estimate
Users affected %

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2016-02-25 08:38

developer   ~35679

Hi,

We have a lot of user who want LimeSurvey in iframe .... And actually : this user must deactivate CRSFcontrol to allow it.

johntopley

johntopley

2016-02-25 10:17

reporter   ~35686

Hi,

Is that the "enableCsrfValidation" setting as documented here: https://manual.limesurvey.org/Optional_settings#Request_settings

DenisChenu

DenisChenu

2016-02-25 10:31

developer   ~35689

Last edited: 2016-02-25 10:33

Yes,

But for the issue : can you reproduce with an iframe on demo.limesurvey.org for exempe ?
Because Same-origin policy must fix the issue, no ?

The top can not read iframe if it's not same domain except server admin fix the Same-origin policy

OK : IE bug ..... (version ?)

Actually :
User website : example.com
LS website example.com/surrvey

The user can use iframe and no problem. A LOT of user want this ... then i don't want it's in core.
ANd more : it's a template issue, or can be done in plugin for all template.

johntopley

johntopley

2016-03-02 09:51

reporter   ~35833

The attached file is a screenshot taken from the penetration testing report that shows our LimeSurvey instance embedded in an iFrame. Our LimeSurvey has 'enableCsrfValidation'=>true in application/config/internal.php.

Is this the expected behaviour?

DenisChenu

DenisChenu

2016-03-02 10:00

developer   ~35834

OK, embedded in a iframe : but did you try to enter the survey ?
CRSF issue no ?

DenisChenu

DenisChenu

2016-03-02 10:00

developer   ~35835

Your mind on this ?
Think it's more a template issue , and not a security risk.

DenisChenu

DenisChenu

2016-03-03 15:13

developer   ~35880

Reassign it to you Carste; think it's not a sccurity issue. Browser must do the job Same-origin policy.
If browser are broken : user must update his browser.

DenisChenu

DenisChenu

2020-10-26 16:43

developer   ~60415

See https://manual.limesurvey.org/Optional_settings#Allow_usage_of_session_and_Csrf_Validation_in_iFrame_.28New_in_3.24.3_.29

Issue History

Date Modified Username Field Change
2016-02-24 14:56 johntopley New Issue
2016-02-24 14:56 johntopley Tag Attached: data integrity
2016-02-24 14:56 johntopley Tag Attached: data security
2016-02-25 08:38 DenisChenu Note Added: 35679
2016-02-25 10:17 johntopley Note Added: 35686
2016-02-25 10:31 DenisChenu Note Added: 35689
2016-02-25 10:33 DenisChenu Note Edited: 35689
2016-03-02 09:48 johntopley File Added: 10576.png
2016-03-02 09:51 johntopley Note Added: 35833
2016-03-02 10:00 DenisChenu Note Added: 35834
2016-03-02 10:00 DenisChenu Note Added: 35835
2016-03-02 10:00 DenisChenu Assigned To => c_schmitz
2016-03-02 10:00 DenisChenu Status new => feedback
2016-03-02 10:00 DenisChenu Assigned To c_schmitz =>
2016-03-03 15:12 DenisChenu Assigned To => c_schmitz
2016-03-03 15:12 DenisChenu Status feedback => assigned
2016-03-03 15:13 DenisChenu Note Added: 35880
2020-10-26 16:43 DenisChenu Note Added: 60415
2021-03-08 19:45 c_schmitz Status assigned => closed
2021-03-08 19:45 c_schmitz Resolution open => won't fix