View Issue Details

IDProjectCategoryView StatusLast Update
14609Bug reports[All Projects] Import/Exportpublic2019-04-02 16:41
ReporterrealitixAssigned Toollehar 
Status closedResolutionfixed 
Product Version3.15.x 
Target VersionFixed in Version3.17.x 
Summary14609: [SECURITY] Prevent SID of 0 during import


When you import a survey, if the sid is 0, it will crash all the application.
Indeed, an attacker can manually set the sid to 0 in the .lss file.

The import works but then the application will crash at several places and the survey is impossible to delete.
Warning, if you try to reproduce this bug, you will need to delete the survey in database.

I'm sending the pull request that fixes it.

Steps To Reproduce
  1. Create a new survey by importing the joined .lss file
  2. Try to delete it
TagsNo tags attached.
Complete LimeSurvey version number (& build)master 3.15.9
I will donate to the project if issue is resolvedNo
Database & DB-Version0
Server OS (if known)
Webserver software & version (if known)
PHP Version0




2019-03-06 12:34


limesurvey_survey_947165.lss (12,850 bytes)


2019-03-06 12:36

reporter   ~50791

Here the pull request:

Issue History

Date Modified Username Field Change
2019-03-06 12:34 realitix New Issue
2019-03-06 12:34 realitix File Added: limesurvey_survey_947165.lss
2019-03-06 12:36 realitix Note Added: 50791
2019-04-02 16:41 ollehar Assigned To => ollehar
2019-04-02 16:41 ollehar Status new => closed
2019-04-02 16:41 ollehar Resolution open => fixed
2019-04-02 16:41 ollehar Fixed in Version => 3.17.x