View Issue Details

IDProjectCategoryView StatusLast Update
14713Bug reports[All Projects] Securitypublic2019-04-02 16:43
Reporterbewi Assigned ToDenisChenu  
PrioritynoneSeveritymajor 
Status closedResolutionfixed 
Product Version3.16.x 
Target VersionFixed in Version3.17.x 
Summary14713: Persistent XSS in user group management
Description

It is possible to permanently store malware in the application and an admin with low privileges can infect a SuperAdmin.

Any user or admin who can create a new user group or who can edit a user group can infiltrate malicious code in the "Description" input field.
As soon as an admin logs in and opens the tab "Configuration/Create/edit user groups", the malicious code is executed.

Steps To Reproduce

see screenshots:
Limesurvey - 01 - editing user group.png
insert any HTML code in the description field. e.g. a script-tag with javascript code (here just a javascript call to alert())

Limesurvey - 02 - user group list.png
in the moment the editing is ended and the listing of all user groups should be shown. the javascript is executed

Limesurvey - 03 - user group list.png
after acknowlwding the alert() the 'normal' listing is shown

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.16.1+190314
I will donate to the project if issue is resolvedNo
Browserfirefox
Database & DB-Versionirrelevant
Server OS (if known)irrelevant
Webserver software & version (if known)irrelevant
PHP Versionirrelevant

Activities

bewi

bewi

2019-04-02 08:27

reporter  

DenisChenu

DenisChenu

2019-04-02 09:19

developer   ~51264

Thanks for reporting
It's OK for group name ?

DenisChenu

DenisChenu

2019-04-02 10:15

developer   ~51266

https://github.com/LimeSurvey/LimeSurvey/commit/cb81914c361f4cb070b217282522f51fed4dc8be

bewi

bewi

2019-04-02 10:18

reporter   ~51267

the group name seems to be OK. so the field is much shorter the payload would be very short.

you might need an general approach to show all fields in a safe way (we had a pen-test two years ago, and there also was an XSS error).

DenisChenu

DenisChenu

2019-04-02 10:30

developer   ~51268

Here this part use a own function, only used for it … don't understand why since Yii have all
Someone can always for a column as raw, but if a dev made this (without good reason and wahy he do it) : the dev made an error.

We have :

  • raw : not update : allow XSS , must use with care
  • text : encoded , used by default (must update to another with good reason)
  • html : show html but filtered
  • some other but not dedicated to text :)

Issue History

Date Modified Username Field Change
2019-04-02 08:27 bewi New Issue
2019-04-02 08:27 bewi File Added: LimeSurvey - 01 - editing user group.png
2019-04-02 08:27 bewi File Added: LimeSurvey - 02 - user group list.png
2019-04-02 08:27 bewi File Added: LimeSurvey - 03 - user group list.png
2019-04-02 09:18 DenisChenu Assigned To => DenisChenu
2019-04-02 09:18 DenisChenu Status new => assigned
2019-04-02 09:18 DenisChenu View Status public => private
2019-04-02 09:19 DenisChenu Note Added: 51264
2019-04-02 09:54 DenisChenu Summary Persistent XSS => Persistent XSS in user group management
2019-04-02 10:15 DenisChenu Status assigned => resolved
2019-04-02 10:15 DenisChenu Resolution open => fixed
2019-04-02 10:15 DenisChenu Fixed in Version => 3.16.x
2019-04-02 10:15 DenisChenu Note Added: 51266
2019-04-02 10:15 DenisChenu View Status private => public
2019-04-02 10:18 bewi Note Added: 51267
2019-04-02 10:30 DenisChenu Note Added: 51268
2019-04-02 16:43 ollehar Status resolved => closed
2019-04-02 16:43 ollehar Fixed in Version 3.16.x => 3.17.x