View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
14376Bug reportsSecuritypublic2018-12-20 18:542019-04-30 09:11
Reportermanuelvsousa Assigned ToDenisChenu  
PriorityurgentSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.15.x 
Fixed in Version3.15.x 
Summary14376: XSS in version 3.15.5 - Survey Resource zip upload
Description

By performing this attack, a zip file when uploaded as Survey resource can execute javascript code in order to steal important parts of admin cookie (CSRF tokens, etc).

This works by uploading a file with a payload. In this case I used the name <svg onload=alert(document.cookie)>.php
Then we also have to have a .xml file with the file in order to get the upload right. In this case, the xml must contain:

    &lt;logo>
        &lt;filename>files/&lt;svg onload=alert(document.cookie)>.php&lt;/filename>
    &lt;/logo>

Check the attached exploit.zip in order to check more details

Steps To Reproduce
  1. Create a Survey.
  2. Click on that survey
  3. In the main panel go to resources
  4. Upload the exploit.zip file
  5. Check the javascript alert as PoC
Additional Information

Other upload parts of this project might be vulnerable using this payload.

TagsNo tags attached.
Attached Files
exploit.zip (5,965 bytes)
Bug heat256
Complete LimeSurvey version number (& build)3.15.5
I will donate to the project if issue is resolvedNo
BrowserLatest version of Google Chrome and Firefox
Database type & versionVer 9.1 Distrib 10.1.34-MariaDB
Server OS (if known)Ubuntu 18.04.1 LTS
Webserver software & version (if known)
PHP Version7.2

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2018-12-21 12:38

developer   ~50059

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=28689
DenisChenu

DenisChenu

2018-12-21 12:43

developer   ~50060

Some other fix to do at another place …

About svg : i think we have an issue here : we allow svg but svg can contains bad JS, and we don't filter SVG …
DenisChenu

DenisChenu

2018-12-23 21:51

developer   ~50071

Waiting for release :)
ollehar

ollehar

2019-01-16 17:30

administrator   ~50234

Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&amp;id=28760
manuelvsousa

manuelvsousa

2019-01-24 15:46

reporter   ~50301

I guess this can go public now :) . Thank you for fixing it and making the product more secure.

Related Changesets

LimeSurvey: master bfee69ed

2018-12-21 12:38:10

DenisChenu

Details Diff 		[security] Fixed issue 14376: XSS in Survey Resource zip upload
[security] Fixed issue : XSS in theme zip upload
Dev: CHtml::encode filename (whole) when view
Dev: Same with import theme
Dev: some other fix to do : reporting issues		 Affected Issues
14376
mod - application/views/admin/survey/importSurveyResources_view.php Diff File
mod - application/views/admin/themes/importuploaded_view.php Diff File
mod - application/views/admin/themes/templatesummary_view.php Diff File

LimeSurvey: develop 11e5076d

2018-12-21 12:38:10

DenisChenu


Committer: ollehar Details Diff 		[security] Fixed issue 14376: XSS in Survey Resource zip upload
[security] Fixed issue : XSS in theme zip upload
Dev: CHtml::encode filename (whole) when view
Dev: Same with import theme
Dev: some other fix to do : reporting issues		 Affected Issues
14376
mod - application/views/admin/survey/importSurveyResources_view.php Diff File
mod - application/views/admin/themes/importuploaded_view.php Diff File
mod - application/views/admin/themes/templatesummary_view.php Diff File

Issue History

Date Modified Username Field Change
2018-12-20 18:54 manuelvsousa New Issue
2018-12-20 18:54 manuelvsousa File Added: exploit.zip
2018-12-21 11:37 DenisChenu Assigned To => DenisChenu
2018-12-21 11:37 DenisChenu Status new => assigned
2018-12-21 11:37 DenisChenu Priority none => urgent
2018-12-21 11:37 DenisChenu Description Updated
2018-12-21 11:37 DenisChenu Steps to Reproduce Updated
2018-12-21 12:38 DenisChenu Changeset attached => LimeSurvey master bfee69ed
2018-12-21 12:38 DenisChenu Note Added: 50059
2018-12-21 12:38 DenisChenu Resolution open => fixed
2018-12-21 12:43 DenisChenu Status assigned => resolved
2018-12-21 12:43 DenisChenu Fixed in Version => 3.15.x
2018-12-21 12:43 DenisChenu Note Added: 50060
2018-12-23 21:51 DenisChenu Note Added: 50071
2019-01-16 17:30 ollehar Changeset attached => LimeSurvey develop 11e5076d
2019-01-16 17:30 ollehar Note Added: 50234
2019-01-24 15:46 manuelvsousa Note Added: 50301
2019-01-24 16:05 DenisChenu View Status private => public
2019-04-30 09:11 c_schmitz Status resolved => closed