View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|14708||Bug reports||[All Projects] Security||public||2019-04-01 12:06||2019-06-26 19:08|
|Target Version||Fixed in Version||3.17.x|
|Summary||14708: Upload files question type does not actually check file type|
The "upload file" question type does only check file extension but not the actual type. This allows, for instance, uploading php code as a ".gif" file.
|Steps To Reproduce|
Rename a php script as .gif, the upload it in a "upload file" question.
|Tags||No tags attached.|
|Complete LimeSurvey version number (& build)||Version 3.15.5+181115|
|I will donate to the project if issue is resolved||No|
|Database & DB-Version||MariaDB 5.5.60|
|Server OS (if known)|
|Webserver software & version (if known)|
After further observation, we didn't found a way to execute code on the server via a forged uploaded file, so I believe this issue severity might be lower than expected.
Hello there our company is trying to adopt Limesurvey so we ran a security audit before adoption and they discovered three security issues blocking adoption.
Two of them are related to Upload Question Plugin. One of this two is related on missing content type validation. They mean if we expect a jpeg file also content type must be validated, not only file extension.
The security issue here isn't related to executable php code but to malicious binary files disguised
I'd like to inspect code but I'm not really aware about it, do it reside inside UploaderController.php?
Right : we check extension, not mimetype
Still an issue
PS : maybe we can (in PHP)
Move category : security to Survey taking. All client action are not a security fix for server.
Ops … sorry … the original issue is about real security …
Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=28983
Thank you for your effort! : )
If you want to update «manually» there are some other fix after this one …
You can get the new controller here : https://github.com/LimeSurvey/LimeSurvey/blob/5ff4910ea13e97a057bd6ab784b1ab1902ffe622/application/controllers/UploaderController.php
I think it can work for all 3.X version (not tested) (3.17.X sure at 100%)
LimeSurvey: master d3eb007e
2019-05-31 17:39:42Details Diff
|Fixed issue 14708: Upload files question type does not actually check file type
Dev: use CFileHelper::getExtensionByMimeType and compare with allowed type
Dev: Move all error system before checking preview or not
Dev: since all must end with Yii::app()->end, last one is an unkown error
|mod - application/controllers/UploaderController.php||Diff File|
|2019-04-01 12:06||ritapas||New Issue|
|2019-04-02 15:02||ritapas||Note Added: 51276|
|2019-05-28 16:26||tassoman||Note Added: 52132|
|2019-05-29 11:17||DenisChenu||Note Added: 52145|
|2019-05-29 11:22||DenisChenu||Note Edited: 52145||View Revisions|
|2019-05-29 14:11||DenisChenu||Category||Security => Survey taking|
|2019-05-29 14:11||DenisChenu||Note Added: 52157|
|2019-05-29 14:13||DenisChenu||Category||Survey taking => Security|
|2019-05-29 14:13||DenisChenu||Note Added: 52158|
|2019-05-29 14:14||DenisChenu||Assigned To||=> DenisChenu|
|2019-05-29 14:14||DenisChenu||Status||new => assigned|
|2019-05-31 17:57||DenisChenu||Status||assigned => resolved|
|2019-05-31 17:57||DenisChenu||Resolution||open => fixed|
|2019-05-31 17:57||DenisChenu||Fixed in Version||=> 3.17.x|
|2019-05-31 17:57||DenisChenu||Note Added: 52259|
|2019-06-03 17:03||DenisChenu||Changeset attached||=> LimeSurvey master d3eb007e|
|2019-06-03 17:03||DenisChenu||Note Added: 52279|
|2019-06-04 13:52||tassoman||Note Added: 52290|
|2019-06-04 14:07||DenisChenu||Note Added: 52291|
|2019-06-04 14:22||ritapas||Note Added: 52293|
|2019-06-26 19:08||DenisChenu||Relationship added||parent of 14989|