View Issue Details

IDProjectCategoryView StatusLast Update
14670Bug reports[All Projects] Securitypublic2019-04-30 09:22
Reporterfederico_fernandez_q3rv0 Assigned ToDenisChenu  
PrioritynoneSeveritymajor 
Status closedResolutionfixed 
Product Version3.16.x 
Target VersionFixed in Version3.17.x 
Summary14670: Remote Code Execution in Limesurvey <= 3.16.x via Deserialization Attack in "tcpdf"
Description

I found a Remote Code Execution vulnerability in Limesurvey <= 3.16.x. The application uses an old "tcpdf" library which is vulnerable to a deserialization attack via "phar://".

Steps To Reproduce

Step 1: Go to "email templates" and upload the file exploit.jpg.

Step 2: Go to Overwiew> Display / Export> queXML PDF export> export.

Step 3: Insert the following HTML code in the "style" field.

&lt;h1>pwned&lt;/h1>&lt;img src=&quot;phar://./upload/surveys/{SURVEYID}/files/exploit.jpg&quot;>

Step 4: Click on the "queXML PDF export" button.

TagsNo tags attached.
Complete LimeSurvey version number (& build) 3.16.0
I will donate to the project if issue is resolvedNo
Browser
Database & DB-VersionPostgreSQL 9.6.6
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0

Relationships

has duplicate 14824 closedc_schmitz old version of TCPDF 

Activities

federico_fernandez_q3rv0

federico_fernandez_q3rv0

2019-03-20 20:34

reporter  

step1.png (65,497 bytes)
step1.png (65,497 bytes)
step3.png (100,327 bytes)
step4.png (35,850 bytes)
step4.png (35,850 bytes)
exploit.jpg (516 bytes)
exploit.jpg (516 bytes)
DenisChenu

DenisChenu

2019-03-22 16:05

developer   ~51097

Did you know if https://github.com/tecnickcom/tc-lib-pdf/tree/master fix this issue ?

Surely some issue when move from 6.2.13 to 8.0.0 but …

DenisChenu

DenisChenu

2019-03-22 16:07

developer   ~51098

Last edited: 2019-03-22 16:12

View 3 revisions

More easy :

6.2.22
    - Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data.

https://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT/download

Thank you :)

(But style must be filtered for QueXML too … https://github.com/wikimedia/css-sanitizer for candidate )

DenisChenu

DenisChenu

2019-03-25 08:39

developer   ~51116

https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5

c_schmitz

c_schmitz

2019-04-30 09:22

administrator   ~51695

Fixed in 3.17.0

Issue History

Date Modified Username Field Change
2019-03-20 20:34 federico_fernandez_q3rv0 New Issue
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step1.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step3.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step4.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: exploit.jpg
2019-03-22 16:05 DenisChenu Note Added: 51097
2019-03-22 16:07 DenisChenu Note Added: 51098
2019-03-22 16:08 DenisChenu Note Edited: 51098 View Revisions
2019-03-22 16:12 DenisChenu Note Edited: 51098 View Revisions
2019-03-22 16:25 DenisChenu Assigned To => DenisChenu
2019-03-22 16:25 DenisChenu Status new => assigned
2019-03-25 08:39 DenisChenu Note Added: 51116
2019-03-25 08:40 DenisChenu Status assigned => resolved
2019-03-25 08:40 DenisChenu Resolution open => fixed
2019-03-25 08:40 DenisChenu View Status private => public
2019-03-25 08:40 DenisChenu Steps to Reproduce Updated View Revisions
2019-03-25 08:41 DenisChenu Fixed in Version => 3.16.x
2019-04-02 16:40 ollehar Status resolved => closed
2019-04-02 16:40 ollehar Fixed in Version 3.16.x => 3.17.x
2019-04-30 09:22 c_schmitz Relationship added has duplicate 14824
2019-04-30 09:22 c_schmitz Note Added: 51695