View Issue Details

This bug affects 1 person(s).
 260
IDProjectCategoryView StatusLast Update
14670Bug reportsSecuritypublic2019-04-30 09:22
Reporterfederico_fernandez_q3rv0 Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.16.x 
Fixed in Version3.17.x 
Summary14670: Remote Code Execution in Limesurvey <= 3.16.x via Deserialization Attack in "tcpdf"
Description

I found a Remote Code Execution vulnerability in Limesurvey <= 3.16.x. The application uses an old "tcpdf" library which is vulnerable to a deserialization attack via "phar://".

Steps To Reproduce

Step 1: Go to "email templates" and upload the file exploit.jpg.

Step 2: Go to Overwiew> Display / Export> queXML PDF export> export.

Step 3: Insert the following HTML code in the "style" field.

&lt;h1>pwned&lt;/h1>&lt;img src=&quot;phar://./upload/surveys/{SURVEYID}/files/exploit.jpg&quot;>

Step 4: Click on the "queXML PDF export" button.

TagsNo tags attached.
Attached Files
step1.png (65,497 bytes)   
step1.png (65,497 bytes)   
step3.png (100,327 bytes)
step4.png (35,850 bytes)   
step4.png (35,850 bytes)   
exploit.jpg (516 bytes)   
exploit.jpg (516 bytes)   
Bug heat260
Complete LimeSurvey version number (& build) 3.16.0
I will donate to the project if issue is resolvedNo
Browser
Database type & versionPostgreSQL 9.6.6
Server OS (if known)
Webserver software & version (if known)
PHP Version7.0

Relationships

has duplicate 14824 closedc_schmitz old version of TCPDF 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2019-03-22 16:05

developer   ~51097

Did you know if https://github.com/tecnickcom/tc-lib-pdf/tree/master fix this issue ?

Surely some issue when move from 6.2.13 to 8.0.0 but …

DenisChenu

DenisChenu

2019-03-22 16:07

developer   ~51098

Last edited: 2019-03-22 16:12

More easy :

6.2.22
    - Fix for security vulnerability: Using the phar:// wrapper it was possible to trigger the unserialization of user provided data.

https://sourceforge.net/projects/tcpdf/files/CHANGELOG.TXT/download

Thank you :)

(But style must be filtered for QueXML too … https://github.com/wikimedia/css-sanitizer for candidate )

DenisChenu

DenisChenu

2019-03-25 08:39

developer   ~51116

https://github.com/LimeSurvey/LimeSurvey/commit/1cdd78d27697b3150bb44aaa7af1a81062a591a5

c_schmitz

c_schmitz

2019-04-30 09:22

administrator   ~51695

Fixed in 3.17.0

Issue History

Date Modified Username Field Change
2019-03-20 20:34 federico_fernandez_q3rv0 New Issue
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step1.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step3.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: step4.png
2019-03-20 20:34 federico_fernandez_q3rv0 File Added: exploit.jpg
2019-03-22 16:05 DenisChenu Note Added: 51097
2019-03-22 16:07 DenisChenu Note Added: 51098
2019-03-22 16:08 DenisChenu Note Edited: 51098
2019-03-22 16:12 DenisChenu Note Edited: 51098
2019-03-22 16:25 DenisChenu Assigned To => DenisChenu
2019-03-22 16:25 DenisChenu Status new => assigned
2019-03-25 08:39 DenisChenu Note Added: 51116
2019-03-25 08:40 DenisChenu Status assigned => resolved
2019-03-25 08:40 DenisChenu Resolution open => fixed
2019-03-25 08:40 DenisChenu View Status private => public
2019-03-25 08:40 DenisChenu Steps to Reproduce Updated
2019-03-25 08:41 DenisChenu Fixed in Version => 3.16.x
2019-04-02 16:40 ollehar Status resolved => closed
2019-04-02 16:40 ollehar Fixed in Version 3.16.x => 3.17.x
2019-04-30 09:22 c_schmitz Relationship added has duplicate 14824
2019-04-30 09:22 c_schmitz Note Added: 51695