View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 256
IDProjectCategoryView StatusDate SubmittedLast Update
14708Bug reportsSecuritypublic2019-04-01 12:062020-05-15 17:15
Reporterritapas Assigned ToDenisChenu  
PrioritynoneSeveritypartial_block 
Status closedResolutionfixed 
Product Version3.15.x 
Fixed in Version3.17.x 
Summary14708: Upload files question type does not actually check file type
Description

The "upload file" question type does only check file extension but not the actual type. This allows, for instance, uploading php code as a ".gif" file.

Steps To Reproduce

Rename a php script as .gif, the upload it in a "upload file" question.

TagsNo tags attached.
Bug heat256
Complete LimeSurvey version number (& build)Version 3.15.5+181115
I will donate to the project if issue is resolvedNo
Browser
Database type & version MariaDB 5.5.60
Server OS (if known)
Webserver software & version (if known)
PHP Versionrh-php71-1-1

Relationships

Relationship GraphDependency Graph
parent of 14989 closedDenisChenu Problem can't upload file 
parent of 15624 closed File Upload not working for iOS 13.2 

Users monitoring this issue

There are no users monitoring this issue.

Activities

ritapas

ritapas

2019-04-02 15:02

reporter   ~51276

After further observation, we didn't found a way to execute code on the server via a forged uploaded file, so I believe this issue severity might be lower than expected.
tassoman

tassoman

2019-05-28 16:26

reporter   ~52132

Hello there our company is trying to adopt Limesurvey so we ran a security audit before adoption and they discovered three security issues blocking adoption.

Two of them are related to Upload Question Plugin. One of this two is related on missing content type validation. They mean if we expect a jpeg file also content type must be validated, not only file extension.

The security issue here isn't related to executable php code but to malicious binary files disguised

I'd like to inspect code but I'm not really aware about it, do it reside inside UploaderController.php?
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/controllers/UploaderController.php
DenisChenu

DenisChenu

2019-05-29 11:17

developer   ~52145

Last edited: 2019-05-29 11:22

Right : we check extension, not mimetype
https://github.com/LimeSurvey/LimeSurvey/blob/d16e00518dbf62777e08cd2340b1dd2da4ae4921/application/controllers/UploaderController.php#L142

Still an issue

PS : maybe we can (in PHP)

  1. use mime_content_type to get all mimeType allowed
  2. Use CFileHelper::getMimeType to compare mimeType
DenisChenu

DenisChenu

2019-05-29 14:11

developer   ~52157

Move category : security to Survey taking. All client action are not a security fix for server.
DenisChenu

DenisChenu

2019-05-29 14:13

developer   ~52158

Ops … sorry … the original issue is about real security …
DenisChenu

DenisChenu

2019-05-31 17:57

developer   ~52259

https://github.com/LimeSurvey/LimeSurvey/commit/d3eb007e64e9f17d69604440a7890f9f0b628b16
DenisChenu

DenisChenu

2019-06-03 17:03

developer   ~52279

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28983
tassoman

tassoman

2019-06-04 13:52

reporter   ~52290

Thank you for your effort! : )
DenisChenu

DenisChenu

2019-06-04 14:07

developer   ~52291

If you want to update «manually» there are some other fix after this one …

You can get the new controller here : https://github.com/LimeSurvey/LimeSurvey/blob/5ff4910ea13e97a057bd6ab784b1ab1902ffe622/application/controllers/UploaderController.php

I think it can work for all 3.X version (not tested) (3.17.X sure at 100%)
ritapas

ritapas

2019-06-04 14:22

reporter   ~52293

Thank you

Related Changesets

LimeSurvey: master d3eb007e

2019-05-31 19:39

DenisChenu


Details Diff		 Fixed issue 14708: Upload files question type does not actually check file type
Dev: use CFileHelper::getExtensionByMimeType and compare with allowed type
Dev: Move all error system before checking preview or not
Dev: since all must end with Yii::app()->end, last one is an unkown error		 Affected Issues
14708
mod - application/controllers/UploaderController.php Diff File

Issue History

Date Modified Username Field Change
2019-04-01 12:06 ritapas New Issue
2019-04-02 15:02 ritapas Note Added: 51276
2019-05-28 16:26 tassoman Note Added: 52132
2019-05-29 11:17 DenisChenu Note Added: 52145
2019-05-29 11:22 DenisChenu Note Edited: 52145
2019-05-29 11:22 DenisChenu Issue Monitored: DenisChenu
2019-05-29 14:11 DenisChenu Category Security => Survey taking
2019-05-29 14:11 DenisChenu Note Added: 52157
2019-05-29 14:13 DenisChenu Category Survey taking => Security
2019-05-29 14:13 DenisChenu Note Added: 52158
2019-05-29 14:14 DenisChenu Assigned To => DenisChenu
2019-05-29 14:14 DenisChenu Status new => assigned
2019-05-31 17:57 DenisChenu Status assigned => resolved
2019-05-31 17:57 DenisChenu Resolution open => fixed
2019-05-31 17:57 DenisChenu Fixed in Version => 3.17.x
2019-05-31 17:57 DenisChenu Note Added: 52259
2019-06-03 17:03 DenisChenu Changeset attached => LimeSurvey master d3eb007e
2019-06-03 17:03 DenisChenu Note Added: 52279
2019-06-04 13:52 tassoman Note Added: 52290
2019-06-04 14:07 DenisChenu Note Added: 52291
2019-06-04 14:22 ritapas Note Added: 52293
2019-06-05 08:18 DenisChenu Issue End Monitor: DenisChenu
2019-06-26 19:08 DenisChenu Relationship added parent of 14989
2020-03-09 15:36 c_schmitz Status resolved => closed
2020-05-15 17:15 DenisChenu Relationship added parent of 15624