View Issue Details

IDProjectCategoryView StatusLast Update
14708Bug reports[All Projects] Securitypublic2019-06-26 19:08
ReporterritapasAssigned ToDenisChenu 
PrioritynoneSeveritymajor 
Status resolvedResolutionfixed 
Product Version3.15.x 
Target VersionFixed in Version3.17.x 
Summary14708: Upload files question type does not actually check file type
Description

The "upload file" question type does only check file extension but not the actual type. This allows, for instance, uploading php code as a ".gif" file.

Steps To Reproduce

Rename a php script as .gif, the upload it in a "upload file" question.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.15.5+181115
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Version MariaDB 5.5.60
Server OS (if known)
Webserver software & version (if known)
PHP Versionrh-php71-1-1

Relationships

parent of 14989 resolvedDenisChenu Problem can't upload file 

Activities

ritapas

ritapas

2019-04-02 15:02

reporter   ~51276

After further observation, we didn't found a way to execute code on the server via a forged uploaded file, so I believe this issue severity might be lower than expected.

tassoman

tassoman

2019-05-28 16:26

reporter   ~52132

Hello there our company is trying to adopt Limesurvey so we ran a security audit before adoption and they discovered three security issues blocking adoption.

Two of them are related to Upload Question Plugin. One of this two is related on missing content type validation. They mean if we expect a jpeg file also content type must be validated, not only file extension.

The security issue here isn't related to executable php code but to malicious binary files disguised

I'd like to inspect code but I'm not really aware about it, do it reside inside UploaderController.php?
https://github.com/LimeSurvey/LimeSurvey/blob/master/application/controllers/UploaderController.php

DenisChenu

DenisChenu

2019-05-29 11:17

developer   ~52145

Last edited: 2019-05-29 11:22

View 2 revisions

Right : we check extension, not mimetype
https://github.com/LimeSurvey/LimeSurvey/blob/d16e00518dbf62777e08cd2340b1dd2da4ae4921/application/controllers/UploaderController.php#L142

Still an issue

PS : maybe we can (in PHP)

  1. use mime_content_type to get all mimeType allowed
  2. Use CFileHelper::getMimeType to compare mimeType
DenisChenu

DenisChenu

2019-05-29 14:11

developer   ~52157

Move category : security to Survey taking. All client action are not a security fix for server.

DenisChenu

DenisChenu

2019-05-29 14:13

developer   ~52158

Ops … sorry … the original issue is about real security …

DenisChenu

DenisChenu

2019-05-31 17:57

developer   ~52259

https://github.com/LimeSurvey/LimeSurvey/commit/d3eb007e64e9f17d69604440a7890f9f0b628b16

DenisChenu

DenisChenu

2019-06-03 17:03

developer   ~52279

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28983

tassoman

tassoman

2019-06-04 13:52

reporter   ~52290

Thank you for your effort! : )

DenisChenu

DenisChenu

2019-06-04 14:07

developer   ~52291

If you want to update «manually» there are some other fix after this one …

You can get the new controller here : https://github.com/LimeSurvey/LimeSurvey/blob/5ff4910ea13e97a057bd6ab784b1ab1902ffe622/application/controllers/UploaderController.php

I think it can work for all 3.X version (not tested) (3.17.X sure at 100%)

ritapas

ritapas

2019-06-04 14:22

reporter   ~52293

Thank you

Related Changesets

LimeSurvey: master d3eb007e

2019-05-31 17:39:42

DenisChenu

Details Diff
Fixed issue 14708: Upload files question type does not actually check file type
Dev: use CFileHelper::getExtensionByMimeType and compare with allowed type
Dev: Move all error system before checking preview or not
Dev: since all must end with Yii::app()->end, last one is an unkown error
Affected Issues
14708
mod - application/controllers/UploaderController.php Diff File

Issue History

Date Modified Username Field Change
2019-04-01 12:06 ritapas New Issue
2019-04-02 15:02 ritapas Note Added: 51276
2019-05-28 16:26 tassoman Note Added: 52132
2019-05-29 11:17 DenisChenu Note Added: 52145
2019-05-29 11:22 DenisChenu Note Edited: 52145 View Revisions
2019-05-29 14:11 DenisChenu Category Security => Survey taking
2019-05-29 14:11 DenisChenu Note Added: 52157
2019-05-29 14:13 DenisChenu Category Survey taking => Security
2019-05-29 14:13 DenisChenu Note Added: 52158
2019-05-29 14:14 DenisChenu Assigned To => DenisChenu
2019-05-29 14:14 DenisChenu Status new => assigned
2019-05-31 17:57 DenisChenu Status assigned => resolved
2019-05-31 17:57 DenisChenu Resolution open => fixed
2019-05-31 17:57 DenisChenu Fixed in Version => 3.17.x
2019-05-31 17:57 DenisChenu Note Added: 52259
2019-06-03 17:03 DenisChenu Changeset attached => LimeSurvey master d3eb007e
2019-06-03 17:03 DenisChenu Note Added: 52279
2019-06-04 13:52 tassoman Note Added: 52290
2019-06-04 14:07 DenisChenu Note Added: 52291
2019-06-04 14:22 ritapas Note Added: 52293
2019-06-26 19:08 DenisChenu Relationship added parent of 14989